Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 635 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

packet violation window

gsarsons
Are the violations you see only from the external interface?  If they are both internal and external how do you tell which interface it is from?

Greg


This thread was automatically locked due to age.
  • 0
    Greg,
    afaik - the violations are from both interfaces. The way to tell them apart, is to be familiar with your networks.

    Look here, this is a violation on the internal network:
    23:57:35 192.168.111.26 138  ->  192.168.111.255 138 UDP 
    Clearly, 192.168.111.0 is my internal network - and this is the source of the entry. I have set up my firewall to drop unwanted traffic, and NetBIOS leaking out of my network is a violation.

    Now see here, this is a violation on the external network:
    23:57:38 217.xx.xx.43 138  ->  217.xx.xx.63 138 UDP 

    This is the external network ip range.

    Another way to tell easier, is to ssh into the console, running a "tail -f /var/log/kernel"
    An example:
    Aug 29 00:02:23 gateway kernel: UDP Drop: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:8b:b0:1d:72:08:00 SRC=192.168.111.244 DST=192.168.111.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=17031 PROTO=UDP SPT=138 DPT=138 LEN=209 
    Aug 29 00:05:00 gateway kernel: UDP Drop: IN=eth1 OUT= MAC=00:50[:D]a:4b:83:ce:00:b0:c2:88[:D]b:bb:08:00 SRC=62.xyz.wxy.xx DST=62.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=15721 PROTO=UDP SPT=137 DPT=137 LEN=58 

    Here it shows which the interface in question.

    Hope this makes sense.

    Best regards,
    Ørjan Sandland
Unfiltered HTML