This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropping MS RPC traffic

Hi, in ASL 3.219, I am having trouble dropping traffic on port 135 (MS RPC, mostly from the Blaster worm, I believe).

I have defined a service
MS-RPC with source:any, dest:any, tcp/udp, port 135, and added a rule (#1) to DROP it, but it is still showing up in the logs:
Code:

 17:25:20 216.63.220.92 2081 ->  123.123.123.70  135 TCP SYN

It is listed on the filter livelog page as:
Code:

Chain USR_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3014  145K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1024:65535 dpt:135

How can I get asl to not log these packets?

Thanks

This thread was automatically locked due to age.

Parents

0 BarryG over 22 years ago

Strangely, SOME of the packets DO get dropped, but many still show up in the logs.

If I try to create my own connections on port 135 (with telnet), the packets get dropped.

However, other packets (from blaster, I assume), get logged.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 22 years ago

Strangely, SOME of the packets DO get dropped, but many still show up in the logs.

If I try to create my own connections on port 135 (with telnet), the packets get dropped.

However, other packets (from blaster, I assume), get logged.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data