Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 12325 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

incoming intrusion ip's same source mac

brunomc

hi,

 

i see lately many attempts from many (hundreds) ip's across the world but they all have the same srcmac 

Do they really all come from the same system using spoofed addresses ? and should i make a block on mac address then ?

 

ulogd[24863]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="00:a2:89:26:54:19" dstmac="xxxxxxx" srcip="190.172.76.20" dstip="xxxxxxx" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="64143" dstport="23" tcpflags="SYN"




This thread was automatically locked due to age.
Parents
  • 0

    The source mac is not the mac address of the origin source. It's the address of the system where the L2 packets come from. Normaly it's the mac address of the LAN interface of your UTM or Internet modem.

  • 0 in reply to Jas Man

    hi,

     

    Its interesting as going through all the logs on the utm, only the intrusion (telnet/ssh) ones have that source mac , normal traffic (logged for awhile) does not have that macaddress. and its not the address of the router or my utm. confusing :)

  • 0 in reply to brunomc

    Hi,

    according to the MAC address it must be a Cisco device. Do you have any Cisco devices in your WAN/LAN? Is the address similar to another device? E.g. the ports of a switch have always unique mac addresses. They only differ in the last positions.

    Maybe the providers modem has another virtual interface with a management IP address which your UTM don't know. So IPS will block traffic from this interface. But why should a management interface forward public traffic!?

     

    Jas

     

    BTW: Is initf="eth2" your WAN interface?

     
  • 0 in reply to Jas Man

    Hi,

     

    oddly no its not a cisco (visibly) , yes ethf2 is wan address. Big mistery :) as no other traffic has that source address.

  • 0 in reply to brunomc

    Yep, mystical.....I've heard the title music of the X-Files in my brain after reading it :)
    (and I've just realized how old I am....."X-Files".....)

    Then, in my opinion, it must be another device in the providers LAN which forwards traffic to your connection. Is the destination IP your WAN IP?

  • 0 in reply to Jas Man

    Guys, the srcmac on traffic arriving from the Internet is that of your ISP's last-hop router if your modem is in bridge mode.  If it's in routing mode, then it's the MAC of the NIC connected to your UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sure, that's what I also wrote/meant in my first post.

    But why comes the blocked traffic from another mac address than the allowed traffic?

Reply Children
No Data
Unfiltered HTML