LOL@preacherman481.... You still helped me find a mistake, so you deserved them :)
Printable View
LOL@preacherman481.... You still helped me find a mistake, so you deserved them :)
Custy_J is on the right track here. Often intrusion attempts show up as 0.0.0.0, but if you have your ids set to show sa you sometimes get a reported address buried in the session info.
192.168.x.x are Internet Connection Sharing ips that are assigned by windows.
Ummm... guys? Might be better to just ask "which firewall."
And, if I'm not mistaken, 0.0.0.0 is typically a listener that isn't bound to any specific
interface... so, if you create a new, virtual interface, that listener should also answer
on that particular port.
For example, on my laptop, I have:
Which is just my SSH daemon, listening to port 22 from any host/port.Quote:
Code:Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
And, looking at my sshd_config, I see:
Which are commented out (I tend to leave the defaults for a given valueQuote:
#ListenAddress 0.0.0.0
#ListenAddress ::
commented out in my configs, personally, even if I don't explicitely set them).
Now, if I connect back to myself on loopback, I get:
...plus the normal listener, above... but if I connect to my machine by IP (afterQuote:
Code:Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1274 127.0.0.1:22 ESTABLISHED
tcp 0 0 127.0.0.1:22 127.0.0.1:1274 ESTABLISHED
dropping the connection, above), we see (IP mangled below):
Netstat's a beautiful command... but read it carefully.Quote:
Code:Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1274 127.0.0.1:22 TIME_WAIT
tcp 0 0 10.1.7.20:1275 10.1.7.20:22 ESTABLISHED
tcp 0 0 10.1.7.20:22 10.1.7.20:1275 ESTABLISHED
Now as far as addresses go, the following networks you will find in RFC1918...
otherwise know as "private address space" or "non-routeable networks" (which
just means that you can't use it out on the Internet and expect it to go anywhere).
Yes, a lot of VPN and VPN-like things tend to use these non-routeable addressesQuote:
Code:10.0.0.0/8 -> 10.0.0.0 to 10.255.255.255
172.16.0.0/12 -> 172.16.0.0 to 172.31.255.255
192.168.0.0/16 -> 192.168.0.0 to 192.168.255.255
for simple IPs (eg. certain IMs when they're trying to establish a file transfer tunnel
between clients) and many LANs use these before they hit a NAT and connect to
the Internet (so, yeah, kind of "connection sharing" but, really, it's just a simple way
to route packets).
In any case... I hope this helps... considering it's 4am for me, I should probably
sleep and hope this makes some sense to someone.
well 192.168.x.x is NAT i am pretty sure and the 0.0.0.0.0 is pretty much a coonection that is just there doing nothing....kinda of a local packet that just is there.
It would help if you gave us the name of the firewall you're using and some samples of the suspicous logs...
Ammo
