Re: [suse-security] Could need some help to understand logMessage
On Tuesday 05 June 2001 16:51, you wrote:
hello Maarten,
"Martian source" means the kernel received a packet that, according to routing table / netmask, cannot legally arrive there. This would happen, for instance, if you configured your network for 192.168.x.x and a packet claiming to be from 10.x.x.x arrived there, etc. Thus; a sanity-check.
[...]
So, the message reads something like: "Unexpected, illegal packet claiming to be from 195.222.110.11 destined for 195.222.110.255 detected on eth0."
thank you very much for your mail. This was very helpfull. It kind of makes sense now. 195.222.110.11_ is my IP if you add one more digit.
As far as I understand this, there was a problem with an outgoing packet? Strange!
I'm not sure, I don't know your network-setup. It could be someone is / was trying to do nasty stuff, but it could also be some misconfiguration or a hardware-glitch, or whatever. To find out more we'd need more info, like routingtables, the topology of your network / lan / whatever it is that you have, etc. But I'd prefer it -if you want to find out more- if you post that to the list, not private mail, so others may contribute too. Anyhow, glad to be of help, Cheers, Maarten
hello Maarten,
thank you very much for your mail. This was very helpfull. It kind of makes sense now. 195.222.110.11_ is my IP if you add one more digit.
As far as I understand this, there was a problem with an outgoing packet? Strange!
I'm not sure, I don't know your network-setup. It could be someone is / was trying to do nasty stuff, but it could also be some misconfiguration or a hardware-glitch, or whatever.
To find out more we'd need more info, like routingtables, the topology of your network / lan / whatever it is that you have, etc.
Well, I don't administrate the network, I am just an interested enduser. Here is what I know. I am connected to the net of the dormitory, our IPs are 195.222.110.* with Gateway being 195.222.110.254 There is no spezial routing on my mashine, everything goes to the defaulte gateway. Every floor has it's own Switch and they are all connected to one master switch which is connected to the line of our ISP (at least I think it is this way, but I am pretty sure it is.). 195.222.110.11 is on an other floor and should not end up at my switch and/or PC, but it did. I did not change anything that day nor did I install any software. There are exactly 701 "martian source" entries in my /var/log/messages, starting Jun 4, 15:49 ending Jun 4, 16:07 However, the scanlogd entries, which show up about ever minute during the same time, shows an IP that belongs to an IPS in the US. Does this help?
But I'd prefer it -if you want to find out more- if you post that to the list, not private mail, so others may contribute too. Oops, sorry.
Take care and thank you everybody! -phil
participants (2)
-
Maarten van den Berg -
Phil Schrettenbrunner