Hi all, anybody can give me information about the kernel message called "martian source" written in "/var/log/messages"??? What does it mean? Thank Bye Paolo
On Monday 02 August 2004 08:45, Paolo Santancini wrote:
Hi all, anybody can give me information about the kernel message called "martian source" written in "/var/log/messages"??? What does it mean?
Martian source is network traffic from the wrong subnet appearing on an interface. eg. eth0 has IP 192.168.0.1 on subnet 255.255.255.0 eth1 has IP 192.168.1.1 on subnet 255.255.255.0 This means that eth0 should only see IP traffic from IP addresses from its subnet (192.168.0.x) and eth1 should only see traffic from its subnet (192.168.1.x) If an IP on the network (say a forgotten printer or something) is still configured with a previous network address (202.167.2.34) and is seen on eth1 it will be seen as martian source. If one of the machines on the network 192.168.0.x is plugged into the wrong switch and is effectively on the same network segment (physical) as eth1, then you will see martian source from that IP address (or you have multiple networks that the Linux box is not aware of) Martian source is not a major thing, but it is making you aware of the fact that something in your network setup is either setup incorrectly, or not configured optimally.
Thank Bye Paolo
-- Do not overtax your powers.
The Monday 2004-08-02 at 09:08 +0200, b@rry.co.za wrote:
Martian source is network traffic from the wrong subnet appearing on an interface.
eg. eth0 has IP 192.168.0.1 on subnet 255.255.255.0 eth1 has IP 192.168.1.1 on subnet 255.255.255.0
Not only that, but also from impossible addresses in internet address space (ie, from Mars), like 127.0.0.1. See: Jul 16 13:09:37 nimrodel kernel: martian source 213.129.182.216 from 127.0.0.1, on dev ppp0 Jul 16 13:09:37 nimrodel kernel: ll header: 45:08:00:28 (213.129.182.216 was my IP that time) Normally, the second line would list the ethernet Mac address of the interface the packet came from. Snort also logs them, as "Bad Traffic": [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/01-02:37:10.164828 127.0.0.1:80 -> 213.129.182.221:1834 TCP TTL:127 TOS:0x0 ID:21849 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x56F0001 Win: 0x0 TcpLen: 20 [Xref => http://rr.sans.org/firewall/egress.php] All "alerts" I have claim to come from port 80 to various ports: cer@nimrodel:~> zgrep 127.0.0.1 /var/log/snort/alert.?.gz /var/log/snort/alert.1.gz:08/01-02:37:10.164828 127.0.0.1:80 -> 213.129.182.221:1834 /var/log/snort/alert.2.gz:07/30-19:59:48.221343 127.0.0.1:80 -> 213.129.181.31:1269 /var/log/snort/alert.2.gz:07/31-01:55:52.679345 127.0.0.1:80 -> 213.129.182.178:1025 /var/log/snort/alert.3.gz:07/28-12:20:52.115005 127.0.0.1:80 -> 213.129.183.107:1140 /var/log/snort/alert.3.gz:07/28-12:21:57.039125 127.0.0.1:80 -> 213.129.183.107:1529 /var/log/snort/alert.3.gz:07/28-12:22:26.248682 127.0.0.1:80 -> 213.129.183.107:1289 /var/log/snort/alert.3.gz:07/28-12:22:44.208949 127.0.0.1:80 -> 213.129.183.107:1785 /var/log/snort/alert.4.gz:07/27-21:35:33.208422 127.0.0.1:80 -> 213.129.182.113:1367 /var/log/snort/alert.4.gz:07/27-21:52:00.739293 127.0.0.1:80 -> 213.129.182.113:1983 /var/log/snort/alert.5.gz:07/26-12:15:06.898668 127.0.0.1:80 -> 213.129.183.39:1508 /var/log/snort/alert.6.gz:07/25-01:39:35.937136 127.0.0.1:80 -> 213.129.181.7:1094 /var/log/snort/alert.7.gz:07/24-20:17:01.785892 127.0.0.1:80 -> 213.129.180.47:1213 /var/log/snort/alert.7.gz:07/24-20:17:51.700094 127.0.0.1:80 -> 213.129.180.47:1470 /var/log/snort/alert.7.gz:07/24-20:23:44.781624 127.0.0.1:80 -> 213.129.182.18:1560 I wonder what "hole" are they after? -- Cheers, Carlos Robinson
addresses not allowed on the public network. usually those specified in rfc1918 On Mon, 2 Aug 2004, Paolo Santancini wrote:
Hi all, anybody can give me information about the kernel message called "martian source" written in "/var/log/messages"??? What does it mean?
Thank Bye Paolo
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (4)
-
b@rry.co.za -
Carlos E. R. -
Dana Hudes -
Paolo Santancini