[Dshield] Iptables parsing

David Cary Hart DShield at TQMcube.com
Thu Jun 9 16:55:28 GMT 2005


On Thu, 2005-06-09 at 07:42 -0400, Don wrote:

> Jun  8 04:09:45 gw kernel: ICMP Drop IN=eth1 OUT=
> MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
> DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=38065 PROTO=ICMP
> TYPE=8 CODE=0 ID=512 SEQ=23037 
> Jun  8 09:54:44 gw kernel: ICMP Drop IN=eth1 OUT=
> MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
> DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=9379 PROTO=ICMP
> TYPE=8 CODE=0 ID=512 SEQ=14801 
> Jun  8 11:56:20 gw kernel: ICMP Drop IN=eth1 OUT=
> MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
> DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=6509 PROTO=ICMP
> TYPE=8 CODE=0 ID=512 SEQ=33474 
> Jun  8 13:55:21 gw kernel: ICMP Drop IN=eth1 OUT=
> MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
> DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=1686 PROTO=ICMP
> TYPE=8 CODE=0 ID=512 SEQ=63667 
> 
Correct me if I'm wrong folks but Dshield excludes ICMP.

> None of this shows up as being reported in my database. The reports I get
> back (when I get one back) always show 0 lines imported. Whereas  

> Where as the output from my Dlink router does get entered into the database:

> Jun/08/2005 14:59:37
>  Drop UDP packet from WAN src:61.152.158.126:58033 dst:68.106.147.232:1029
> Rule: Default deny
> Jun/08/2005 14:59:37
>  Drop UDP packet from WAN src:61.152.158.126:58033 dst:68.106.147.232:1026
> Rule: Default deny
> Jun/08/2005 14:58:35
>  Drop UDP packet from WAN src:204.253.46.76:20148 dst:68.106.147.232:1026
> Rule: Default deny

> Lines written to database (up to 10):
> Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
> DST=224.0.0.251 LEN=114 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP
> SPT=5353 DPT=5353 LEN=94 
> 
> Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
> DST=224.0.0.251 LEN=132 TOS=0x00 PREC=0x00 TTL=255 ID=1 DF PROTO=UDP
> SPT=5353 DPT=5353 LEN=112 
> 
You have an inconsistency - UDP vs ICMP.

-- 
Multi-RBL Check:         http://www.TQMcube.com/rblcheck.htm
Kill Spam at the Source: http://www.TQMcube.com/spam_trap.htm
Today's Spam Trap Adds:  http://www.TQMcube.com/BlockedToday
RBLDNSD HowTo:           http://www.TQMcube.com/rbldnsd.htm



More information about the list mailing list