[Logcheck-devel] Fwd: wall.oerlikon.madduck.net 2006.07.22.2250 Security Events
Todd Troxell
ttroxell at debian.org
Wed Jul 26 03:13:26 UTC 2006
On Mon, Jul 24, 2006 at 03:43:12PM +0100, martin f krafft wrote:
> also sprach Jamie L. Penman-Smithson <lists at silverdream.org> [2006.07.24.1535 +0100]:
> > > Security Events
> > > =-=-=-=-=-=-=-Jul 22 22:48:40 wall kernel: martian source 84.72.30.149
> > > from 127.0.0.1, on dev wan
> > >
> > > ----- End forwarded message -----
> >
> > I vote no.. If you want to ignore these messages, use local rules instead.
>
> Okay. Could you explain to me what these messages are? Maybe I am
> just not getting it. It seems that martians are attempts of
> spoofing, but the above message only leads me to conclude there's
> some weird routing issue going on. It's a crap log message for one,
> given that "source" and "from" mean the same thing, really.
This message would occour in the following circumstances:
(fib_frontend.c:fib_validate_source(...))
/* Given (packet source, input interface) and optional (dst, oif, tos):
- (main) check, that source is valid i.e. not broadcast or our local
address.
- figure out what "logical" interface this packet arrived
and calculate "specific destination" address.
- check, that packet arrived from expected physical interface.
*/
I dunno. We dont want to get a message every time someone trys to send from 127.0.0.1, but
it seems pretty anomalous.
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list