Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 12335 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

incoming intrusion ip's same source mac

brunomc

hi,

 

i see lately many attempts from many (hundreds) ip's across the world but they all have the same srcmac 

Do they really all come from the same system using spoofed addresses ? and should i make a block on mac address then ?

 

ulogd[24863]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="00:a2:89:26:54:19" dstmac="xxxxxxx" srcip="190.172.76.20" dstip="xxxxxxx" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="64143" dstport="23" tcpflags="SYN"




This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Jas Man

    hi,

     

    Its interesting as going through all the logs on the utm, only the intrusion (telnet/ssh) ones have that source mac , normal traffic (logged for awhile) does not have that macaddress. and its not the address of the router or my utm. confusing :)

Children
  • 0 in reply to brunomc

    Hi,

    according to the MAC address it must be a Cisco device. Do you have any Cisco devices in your WAN/LAN? Is the address similar to another device? E.g. the ports of a switch have always unique mac addresses. They only differ in the last positions.

    Maybe the providers modem has another virtual interface with a management IP address which your UTM don't know. So IPS will block traffic from this interface. But why should a management interface forward public traffic!?

     

    Jas

     

    BTW: Is initf="eth2" your WAN interface?

     
  • 0 in reply to Jas Man

    Hi,

     

    oddly no its not a cisco (visibly) , yes ethf2 is wan address. Big mistery :) as no other traffic has that source address.

  • 0 in reply to brunomc

    Yep, mystical.....I've heard the title music of the X-Files in my brain after reading it :)
    (and I've just realized how old I am....."X-Files".....)

    Then, in my opinion, it must be another device in the providers LAN which forwards traffic to your connection. Is the destination IP your WAN IP?

  • 0 in reply to Jas Man

    Guys, the srcmac on traffic arriving from the Internet is that of your ISP's last-hop router if your modem is in bridge mode.  If it's in routing mode, then it's the MAC of the NIC connected to your UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sure, that's what I also wrote/meant in my first post.

    But why comes the blocked traffic from another mac address than the allowed traffic?

Unfiltered HTML