Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 12251 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

incoming intrusion ip's same source mac

brunomc

hi,

 

i see lately many attempts from many (hundreds) ip's across the world but they all have the same srcmac 

Do they really all come from the same system using spoofed addresses ? and should i make a block on mac address then ?

 

ulogd[24863]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="00:a2:89:26:54:19" dstmac="xxxxxxx" srcip="190.172.76.20" dstip="xxxxxxx" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="64143" dstport="23" tcpflags="SYN"




This thread was automatically locked due to age.
Parents
  • 0

    The source mac is not the mac address of the origin source. It's the address of the system where the L2 packets come from. Normaly it's the mac address of the LAN interface of your UTM or Internet modem.

  • 0 in reply to Jas Man

    hi,

     

    Its interesting as going through all the logs on the utm, only the intrusion (telnet/ssh) ones have that source mac , normal traffic (logged for awhile) does not have that macaddress. and its not the address of the router or my utm. confusing :)

  • 0 in reply to brunomc

    Hi,

    according to the MAC address it must be a Cisco device. Do you have any Cisco devices in your WAN/LAN? Is the address similar to another device? E.g. the ports of a switch have always unique mac addresses. They only differ in the last positions.

    Maybe the providers modem has another virtual interface with a management IP address which your UTM don't know. So IPS will block traffic from this interface. But why should a management interface forward public traffic!?

     

    Jas

     

    BTW: Is initf="eth2" your WAN interface?

     
Reply
  • 0 in reply to brunomc

    Hi,

    according to the MAC address it must be a Cisco device. Do you have any Cisco devices in your WAN/LAN? Is the address similar to another device? E.g. the ports of a switch have always unique mac addresses. They only differ in the last positions.

    Maybe the providers modem has another virtual interface with a management IP address which your UTM don't know. So IPS will block traffic from this interface. But why should a management interface forward public traffic!?

     

    Jas

     

    BTW: Is initf="eth2" your WAN interface?

     
Children
Unfiltered HTML