08-14-2003, 03:10 PM
PIX,Aug 14 2003, 03:01 AM Wrote:Here's my firewall logs for just today:Yeah, I got lots too, in fact I have actually decided to exclude them from the logs because it's so common... that and smtp to workstations rather than servers...
Wed Aug 13 09:21:11 2003 - Wed Aug 13 09:21:11 2003 ARP address mismatch 0:40:10:c:18:db N/A ff:ff:ff:ff:ff:ff N/A
Wed Aug 13 09:30:59 2003 - Wed Aug 13 09:30:59 2003 ARP address mismatch 0:40:10:c:18:db N/A ff:ff:ff:ff:ff:ff N/A
Wed Aug 13 09:34:28 2003 - Wed Aug 13 09:34:28 2003 ARP address mismatch 0:40:10:c:18:db N/A ff:ff:ff:ff:ff:ff N/A
Wed Aug 13 13:21:46 2003 truncated IP 216.37.68.121 N/A 225.1.2.3 N/A
Wed Aug 13 16:24:32 2003 truncated IP 216.37.68.121 N/A 224.0.0.10 N/A
Wed Aug 13 17:25:56 2003 Options not valid 216.37.77.172 N/A 239.255.111.109 N/A
This is just what is monitored with my Prelude Intrusion Detection System.
My SNORT logs are immense. I am just Joe Blow to the world so you can guess who is knocking on YOUR doors too. If you have your filtering rules set just right...no one should be able to 'ice' it and you DONT want to find out. Trust me .asm, someone is scanning your subnet right now examining all the addresses in your block. I get scans for open ftp, telnet and sql ports EVERYDAY.