[1970] in linux-security and linux-alert archive
[linux-security] Re: What is someone looking for??
daemon@ATHENA.MIT.EDU (Yury Shevchuk)
Sun Jul 12 04:22:32 1998
Date: Sun, 12 Jul 1998 08:14:16 +0400
From: Yury Shevchuk <sizif@botik.ru>
To: Ryan Matteson <x96matteson@wmich.edu>
Cc: linux-security@redhat.com
In-Reply-To: <35A539BE.B30D9005@wmich.edu>; from Ryan Matteson on Thu, Jul 09, 1998 at 05:44:30PM -0400
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Thu, Jul 09, 1998 at 05:44:30PM -0400, Ryan Matteson wrote:
> I am currently blocking out netbios UDP port 137 on my firewall and was
> wondering what the following means in terms of security:
>
> Jul 9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137
> MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111
>
> I have gotten a few 100 of these and was wondering if there are some
> vulnerabilties related to netbios out there?? What do the S/I/F/L fields
> stand for??
>From linux/net/ipv4/ip_fw.c:
printk(" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
ip->frag_off, ip->ttl);
That is,
L = total length of IP packet
S = type of service
I = fragment identifier
F = fragment offset
T = time to live
There could also be multiple O='s, showing the contents of IP options
area of the IP packet.
> Is there a way to tell tcpdump to dump all netbios
> packets originating from outside my present class C to a file for future
> viewing??
tcpdump -s 128 -w - -i ethX not src net 192.111.222/24 and udp port 137 \
| gzip -5 > file
zcat file | tcpdump -nr - | less
zcat file | strings | less
Could these packets be security threat, to which systems (windows?
nt? linux running samba?) and to which extent? Someone with knowledge
of microsoft networking and neighbourhoods please enlighten
us... unless this becomes off-topic at this point :-)
-- Yury
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null