[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Solaris 8 / IPFilter 3.4.17+ Strangeness
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2001-09-22 16:40:41
[Download RAW message or body]

In some email I received from Peter Haag, sie wrote:
> Hi,
> I've seen similar behaviour on one of our systems. ipfilter started 
> blocking new connections, even if the rules did not change. It did not
> affect all rules in the config, only some of them. Over time more and
> more rules were afected, up to everything got blocked. It resulted in a
> kernel freeze. 
> The log file of ipmon also showed a strage entry, as it may be a result
> of a buffer overflow:
> 
> 06/09/2001 05:16:21.008398 hme2 @0:2 b x.y.z.32,53 ->
> u.v.w.164,3979 PR udp len 20 73  OUT
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@06/09/2001 07:54:31.710393 hme2 @0:12
> b u.t.74.40,1131 -> x.y.z.33,110 PR tcp le
> n 20 40 -R IN

I hate to say it, but the above doesn't look like a buffer overflow.
More like what you might find if someone edited your log file while
it was still open (ie. hacker).  That is unless you've seen it more
than once.

[prev in list] [next in list] [prev in thread] [next in thread]