Hello all,
I've recently started logging incoming tcp/udp that'll be rejected.
However, not all of the log entries makes sense. I've tried portscanning
myself with nmap, and it clearly shows a great deal of entries on numerous
ports (nothing like the entry showed below).
But, for instance. An entry like this:
b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN
b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN
b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN
b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN
b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN
b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN
What is the above?. I mean, my guess is some kind of network scan, since
y.y.y.17, y.y.y.24 and y.y.y.60 have connection attempts almost at the
same time on unpriviledged ports (note, 17, 24, 60 are the only ones which
are logged). Any clues?
Are there any resources available on the web, that explains how to read
and understand ipf logs?
Thanks,
Friendly Regards
/TK