On Mon, Mar 23, 2020 at 2:03 PM Erich Titl <erich.t...@think.ch> wrote: > > >>> IN=ppp3 OUT= MAC= SRC=1.2.3.4 DST=4.3.2.1 LEN=72 TOS=0x00 PREC=0x00 > >>> TTL=48 ID=46761 DF PROTO=UDP SPT=41152 DPT=58129 LEN=52 MARK=0x3 > >>> > ... > > > > > > >>> The user has no idea what this UDP connection is for, and I haven't > >>> found any program using this port (58129 is supposed to be in the > >>> dynamic range). > >> > > You could set up a honeypot if it is always the same port or the same host.
Both the SRC host and the port differ. Here's another recent example: IN=ppp3 OUT= MAC= SRC=2.1.3.4 DST=4.3.2.1.168 LEN=72 TOS=0x00 PREC=0x00 TTL=62 ID=3049 DF PROTO=UDP SPT=42001 DPT=39958 LEN=52 MARK=0x3 I don't know why I'm getting this traffic from supposedly "clean" hosts (no apparent threats). BTW if it were always on one port, would I "simply" need to TARPIT(honeypot) that port and then run something like tcpdump on the Shorewall box and on the port in question? If that were true then which interface should tcpdump use? In my examples above, should it be ppp3? Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
