Can someone help me decipher this single log excerpt? The bits i understand i have filled in. I was getting this exactly every half minute. I have scanned the online shorewall docs but did not see how a newbie can read the logs. I have also found that Port 500 is for ISAKMP which means nothing to me.(Computing Dictionary Definition: Internet Security Association and Key Management Protocol)
Is this identifiable as a particular worm/virus from this info? I have not found one with this sig (googling). Which one identifies the port hit on my firewall (SPT=) or (DPT=)? I know they are the same in this instance. Why a seperate source port and destination port (SPT= DPT=)? Why two length (LEN=) statements? #######The log entry (my comments start with //) ##I have split it into readable chunks. Sep 13 17:02:24 solid kernel: // Date time host log-source Shorewall:net2all:DROP:IN=ppp0 // Does net2all mean to all boxes behind the firewall? OUT= MAC= // OUT=??? MAC= ethernet card adresses SRC=203.79.82.168 DST=203.79.67.151 // SRC=Someone else on my ISP. DST=My machine (I confirmed this) LEN=29 TOS=0x00 PREC=0x00 TTL=58 ID=31755 // ??? PROTO=UDP // UDP i sort of understand is an alternative to TCP SPT=500 DPT=500 LEN=9 // Source Port, Destination Port, LEN ??? #########End log entry -- Michael
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
