Bob,
> I've been off bugtraq for a couple of weeks but I just saw these
> messages. I have recently been putting logging into our cisco's rule
> set so that I can see what traffic is being passed through our
> network. I spotted traffic that appeared to be missed by the rules
> as it had src port 0 and dst port 0.
> Further investigation showed that it was ssh that was causing
> this. I have looked at the packets using tcpdump and they look find
> and what I would expect but the cisco is still reporting packets
> from 0 to 0.
Hmmm... I suspect that lines like this:
%SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.211(0) -> 10.0.0.255(0), 3 packets
with '(0)' for the ports are generated when the router didn't know the
port numbers rather than them actually being 0. If your access-list doesn't
filter on higher level ports I wouldn't expect the router to bother
parsing the TCP/UDP headers so it can't log the port numbers and just
fills in with zeros to keep the format consistent.
<time passes>
Indeed...
The access-list:
access-list 123 permit ip any any log
generates log messages like this:
%SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(0) -> 10.0.1.228(0), 5 packets
with zero ports, whereas the access-list:
access-list 123 permit udp any any range 0 65535 log
access-list 123 permit tcp any any range 0 65535 log
generates log message like this:
%SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(2862) -> 10.0.1.228(25), 5 packets
with non-zero ports.
Chris.
Received on Jul 02 1998
Intro
