Firewall logging question.

[soehest]

I am experimenting a bit with remote syslog and firewall logging and stumbled across this:

Mar 17 02:02:14 server kernel: DROP  <4>DROP IN=eth0 OUT= MAC=08:60:6f:21:b6:f0:68:ef:bd:85:a6:d9:08:00 <1>SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy <1>LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=808 PROTO=TCP <1>SPT=57233 DPT=1234 SEQ=2861804318 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)
Mar 17 02:02:15 server kernel: DROP  <4>DROP IN=eth0 OUT= MAC=08:60:6f:21:b6:f0:68:ef:bd:85:a6:d9:08:00 <1>SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy <1>LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=34783 PROTO=TCP <1>SPT=57234 DPT=1234 SEQ=2861738783 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4

Drop is generated by issuing nmap -Pn -sS yyy.yyy.yyy.yyy -p 1234 at xxx.xxx.xxx.xxx. What I find odd is that it will log two times even with only a single scan. I have not experienced this with other types of routers/firewall where it will only log 1 line. Is this normal behavior?

 

[Nullity]

Can you increase the verbosity of nmap and see exactly what packets it is sending?

 

[Nathan MIller]

That looks like two different packets with two different source ports and sequence numbers. It isn't logging a duplicate. It's logging what it is seeing twice...at least from what I can tell by what you provided.

 

[soehest]

Can you increase the verbosity of nmap and see exactly what packets it is sending?

Brilliant idea
Having tried nmap with options: nmap -v8 --packet-trace -Pn -sS yyy.yyy.yyy.yyy 1234 I can see you are both correct. There are actually two packets sent. Think the culprit may be in that my previous solution used --limit 1/m --limit-burst 1, which would explain why I only was seeing one packet. Thanks for the idea of increasing verbosity

Another question but related:

Mar 17 02:02:14 server kernel: DROP <4>DROP IN=eth0 OUT= MAC=08:60:6f:21:b6:f0:68:ef:bd:85:a6:d9:08:00 <1>SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy <1>LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=808 PROTO=TCP <1>SPT=57233 DPT=1234 SEQ=2861804318 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)

What are the <4> and <1> which is appended. My firewall log parser does not like them so I have to remove them which is not a big deal but a bit annoying. Especially when i do not know what those values in <> are?

Regards