-
March 24th, 2002, 05:13 AM
#11
LOL@preacherman481.... You still helped me find a mistake, so you deserved them
-
March 24th, 2002, 05:36 AM
#12
Member
Custy_J is on the right track here. Often intrusion attempts show up as 0.0.0.0, but if you have your ids set to show sa you sometimes get a reported address buried in the session info.
It must be them again. Start the response cycle.
-
May 12th, 2002, 10:13 AM
#13
192.168.x.x are Internet Connection Sharing ips that are assigned by windows.
-
May 24th, 2002, 12:19 PM
#14
Ummm... guys? Might be better to just ask "which firewall."
And, if I'm not mistaken, 0.0.0.0 is typically a listener that isn't bound to any specific
interface... so, if you create a new, virtual interface, that listener should also answer
on that particular port.
For example, on my laptop, I have:
Code:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
Which is just my SSH daemon, listening to port 22 from any host/port.
And, looking at my sshd_config, I see:
#ListenAddress 0.0.0.0
#ListenAddress ::
Which are commented out (I tend to leave the defaults for a given value
commented out in my configs, personally, even if I don't explicitely set them).
Now, if I connect back to myself on loopback, I get:
Code:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1274 127.0.0.1:22 ESTABLISHED
tcp 0 0 127.0.0.1:22 127.0.0.1:1274 ESTABLISHED
...plus the normal listener, above... but if I connect to my machine by IP (after
dropping the connection, above), we see (IP mangled below):
Code:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1274 127.0.0.1:22 TIME_WAIT
tcp 0 0 10.1.7.20:1275 10.1.7.20:22 ESTABLISHED
tcp 0 0 10.1.7.20:22 10.1.7.20:1275 ESTABLISHED
Netstat's a beautiful command... but read it carefully.
Now as far as addresses go, the following networks you will find in RFC1918...
otherwise know as "private address space" or "non-routeable networks" (which
just means that you can't use it out on the Internet and expect it to go anywhere).
Code:
10.0.0.0/8 -> 10.0.0.0 to 10.255.255.255
172.16.0.0/12 -> 172.16.0.0 to 172.31.255.255
192.168.0.0/16 -> 192.168.0.0 to 192.168.255.255
Yes, a lot of VPN and VPN-like things tend to use these non-routeable addresses
for simple IPs (eg. certain IMs when they're trying to establish a file transfer tunnel
between clients) and many LANs use these before they hit a NAT and connect to
the Internet (so, yeah, kind of "connection sharing" but, really, it's just a simple way
to route packets).
In any case... I hope this helps... considering it's 4am for me, I should probably
sleep and hope this makes some sense to someone.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
-
May 27th, 2002, 05:05 AM
#15
well 192.168.x.x is NAT i am pretty sure and the 0.0.0.0.0 is pretty much a coonection that is just there doing nothing....kinda of a local packet that just is there.
\"\"A weak mind is like a microscope, which magnifies trifling things but cannot receive great ones.\" — G.K. Chesterton, 19th-century English essayist and poet\"
-
May 27th, 2002, 05:19 AM
#16
It would help if you gave us the name of the firewall you're using and some samples of the suspicous logs...
Ammo
Credit travels up, blame travels down -- The Boss
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|