Tony Arnold tony.arnold at manchester.ac.uk
Thu Mar 29 14:59:57 UTC 2007


R Kimber wrote:
> On Thu, 29 Mar 2007 14:47:15 +0100
> Tony Arnold wrote:
>>> The rules were set up by Firestarter and the info is reported by
>>> logcheck.  The Canonical IP is not always the same, so it's hard
>>> find a regex that can be used in a logcheck filter
>> I've not used logcheck, but could you get it to look for the SYN ACK
>> at the end of the log message?
> But would that exclude any messages that I ought to see, or are all
> such messages always harmless?

Good question. The SYN ACK packet is a response to an initial SYN packet
sent from your machine when trying to make a connection to a remote
system. So the only time you would be interested in such packets is if a
SYN ACK arrived when no corresponding SYN packet had been sent. I'm not
aware of any attack vectors that do this at the moment and can't see
what such an attack would achieve. So yes, I think you can safely ignore
such messages.

Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold

More information about the ubuntu-users mailing list