[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian Source



> On Thu, 24 Oct 2002 10:11:57 +0200 (CEST)
> "Grosswiler Roger" <roger@xxxxxxxxxxx> wrote:
>
>> >
>> > On Thu, 24 Oct 2002, Grosswiler Roger wrote:
>> >
>> >> > Joerg Henner wrote:
>> >> > [...]
>> >> >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
>> >> >>>                             ^^^^^^^^^^^^^^^^^
>> >> This does not really seem to be a MAC-Adress..
>> >> http://www.susesecurity.com/faq/ -> see about in the middle for
>> Martians...
>> >> I found another link...how about this one?
>> >> >>
>> >> >>
>> >> >> *giggl* - well, i meant that HE has to find the Network-Card
>> with
>> >> the specified MAC-Adress ;))))
>> >> >>
>> >> >
>> >> > arp
>> >> >
>> >> > Or am I missing something here?
>> >> >
>> >> > Christian
>> >
>> > ok, Roger gave you the link where to read more about.
>> > This is a message from kernel routing.
>> > Please check both lines in /var/log/messages, the first on tells you
>> the (claimed) source IP and the destination IP and the interface
>> where it was detected. The second one (see above) contains the MACs
>> from where to where the packet should be routed. Both should be
>> interfaces on the same net segment, one belongs probably to the
>> listed interface (eth0).
>> >
>> > What does these messages tell you?
>> > if the (claimed) sorce IP is a valid IP in your LAN, and these
>> messages are random somehow (well, I need to explain this more
>> detailled ..), then it's most likely a mis-configured client, for
>> example routing (see in docs mentioned above).
>> > If the source IP is not valid in your LAN, and you have these
>> messages in a sequence (for example every 2 seconds, or increasing
>> IP), then it's most likely that someone scans with spoofed IPs.
>> >
>> > What to do?
>> > If you don't care about the scans (probably 'cause you know that
>> your firewall is prepared for it:), then you may just ignore these
>> messages. If you feel that its a mis-configured client, fix it.
>> > You simply may switch of the logging by
>> >
>> > 	echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
>> By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not
>> work as i still get those messages...
>
> Please try
>
> echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians
> echo 0 >/proc/sys/net/ipv4/conf/all/log_martians
> echo 0 >/proc/sys/net/ipv4/conf/default/log_martians
>
>> >
>> > Does this answer you question?
>> > Achim
>> >
Yop! Now i dont get them any longer! Thanks!
>> >
>> > --
>> > Check the headers for your unsubscription address
>> > For additional commands, e-mail: suse-security-help@xxxxxxxx
>> > Security-related bug reports go to security@xxxxxxx, not here
>>
>>
>>
>>
>> --
>> Check the headers for your unsubscription address
>> For additional commands, e-mail: suse-security-help@xxxxxxxx
>> Security-related bug reports go to security@xxxxxxx, not here
>>
>
>
> --
> ------------------------  /"\
> Andreas.Tirok@xxxxxxxxx   \ / ASCII Ribbon Campaign
> fon: +49 30 549932-0       X  Against HTML Mail
> fax: +49 30 549932-21     / \
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here