The Monday 2004-08-02 at 09:08 +0200, b@rry.co.za wrote:
Martian source is network traffic from the wrong subnet appearing on an interface.
eg. eth0 has IP 192.168.0.1 on subnet 255.255.255.0 eth1 has IP 192.168.1.1 on subnet 255.255.255.0
Not only that, but also from impossible addresses in internet address space (ie, from Mars), like 127.0.0.1. See: Jul 16 13:09:37 nimrodel kernel: martian source 213.129.182.216 from 127.0.0.1, on dev ppp0 Jul 16 13:09:37 nimrodel kernel: ll header: 45:08:00:28 (213.129.182.216 was my IP that time) Normally, the second line would list the ethernet Mac address of the interface the packet came from. Snort also logs them, as "Bad Traffic": [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/01-02:37:10.164828 127.0.0.1:80 -> 213.129.182.221:1834 TCP TTL:127 TOS:0x0 ID:21849 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x56F0001 Win: 0x0 TcpLen: 20 [Xref => http://rr.sans.org/firewall/egress.php] All "alerts" I have claim to come from port 80 to various ports: cer@nimrodel:~> zgrep 127.0.0.1 /var/log/snort/alert.?.gz /var/log/snort/alert.1.gz:08/01-02:37:10.164828 127.0.0.1:80 -> 213.129.182.221:1834 /var/log/snort/alert.2.gz:07/30-19:59:48.221343 127.0.0.1:80 -> 213.129.181.31:1269 /var/log/snort/alert.2.gz:07/31-01:55:52.679345 127.0.0.1:80 -> 213.129.182.178:1025 /var/log/snort/alert.3.gz:07/28-12:20:52.115005 127.0.0.1:80 -> 213.129.183.107:1140 /var/log/snort/alert.3.gz:07/28-12:21:57.039125 127.0.0.1:80 -> 213.129.183.107:1529 /var/log/snort/alert.3.gz:07/28-12:22:26.248682 127.0.0.1:80 -> 213.129.183.107:1289 /var/log/snort/alert.3.gz:07/28-12:22:44.208949 127.0.0.1:80 -> 213.129.183.107:1785 /var/log/snort/alert.4.gz:07/27-21:35:33.208422 127.0.0.1:80 -> 213.129.182.113:1367 /var/log/snort/alert.4.gz:07/27-21:52:00.739293 127.0.0.1:80 -> 213.129.182.113:1983 /var/log/snort/alert.5.gz:07/26-12:15:06.898668 127.0.0.1:80 -> 213.129.183.39:1508 /var/log/snort/alert.6.gz:07/25-01:39:35.937136 127.0.0.1:80 -> 213.129.181.7:1094 /var/log/snort/alert.7.gz:07/24-20:17:01.785892 127.0.0.1:80 -> 213.129.180.47:1213 /var/log/snort/alert.7.gz:07/24-20:17:51.700094 127.0.0.1:80 -> 213.129.180.47:1470 /var/log/snort/alert.7.gz:07/24-20:23:44.781624 127.0.0.1:80 -> 213.129.182.18:1560 I wonder what "hole" are they after? -- Cheers, Carlos Robinson