LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   TCP DUMP question (https://www.linuxquestions.org/questions/linux-security-4/tcp-dump-question-129846/)

sopiaz57 12-29-2003 02:43 PM
TCP DUMP question
 
Here is a piece from my dump: is this a microsoft RPC worm?

15:31:40.196775 mx14.glamorsex.com.2686 > host01.135: S 3564693896:3564693896(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:31:40.196796 host01.135 > mx14.glamorsex.com.2686: R 0:0(0) ack 3564693897 win 0 (DF)

15:31:40.743568 mx14.glamorsex.com.2686 > host01.135: S 3564693896:3564693896(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:31:40.743580 host01.135 > mx14.glamorsex.com.2686: R 0:0(0) ack 1 win 0 (DF)


Thanks All

sopiaz57 12-29-2003 02:50 PM
http://isc.incidents.org

port 135 is always getting slammed

what does everyone do to just block these from any response/cpu time?
How can I see more information from my TCPDUMP, something simular to ethereal?

chort 12-30-2003 02:05 AM
# tcpdump -nXs 1500

That should get the information in format similar to how Ethereal displays it.

Just write an iptables rule to drop all the Microsoft protcols on your external interface, and don't log those dropped packets. That will avoid spamming your kernel log.

sopiaz57 12-30-2003 07:58 AM
cool. I will need to work on writing IPTABLES, never done that before.


Thanks


All times are GMT -5. The time now is 06:55 PM.