Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd flags logged

    Scheduled Pinned Locked Moved
    2.3-RC Snapshot Feedback and Issues - ARCHIVED
    1
    3
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iamzam
      last edited by

      I have never seen this combination of flags, and from an M$ IP range no less.  Yikes.  Does anyone have any insight into what caused this combination of flags?  It may only be two actual packets because I have rules that only match on unknown flag combinations and there are only two distinct times logged.

      
Mar 20 14:23:54 fw filterlog: 143,16777216,,1456347399,em1,match,unkn(%u),in,4,0x22,0,114,63190,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
Mar 20 14:23:54 fw filterlog: 151,16777216,,1456347426,em1,match,unkn(%u),in,4,0x22,0,114,63190,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
Mar 20 14:23:54 fw filterlog: 317,16777216,,1446645102,em1,match,block,in,4,0x22,0,114,63190,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
Mar 20 14:23:58 fw filterlog: 143,16777216,,1456347399,em1,match,unkn(%u),in,4,0x22,0,114,31068,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
Mar 20 14:23:58 fw filterlog: 151,16777216,,1456347426,em1,match,unkn(%u),in,4,0x22,0,114,31068,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
Mar 20 14:23:58 fw filterlog: 317,16777216,,1446645102,em1,match,block,in,4,0x22,0,114,31068,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK

      Also does anyone know the format for these logs?  Where can I find the definition for all the fields?  I assume one of them is tcp sequence?

      1 Reply Last reply Reply Quote 0
      • I
        iamzam
        last edited by

        oh and

        
$ whois 40.76.59.167

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 40.76.59.167"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=40.76.59.167?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       40.74.0.0 - 40.125.127.255
CIDR:           40.125.0.0/17, 40.112.0.0/13, 40.120.0.0/14, 40.96.0.0/12, 40.76.0.0/14, 40.124.0.0/16, 40.80.0.0/12, 40.74.0.0/15
NetName:        MSFT
NetHandle:      NET-40-74-0-0-1
Parent:         NET40 (NET-40-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   Microsoft Corporation (MSFT)
RegDate:        2015-02-23
Updated:        2015-05-27
Ref:            https://whois.arin.net/rest/net/NET-40-74-0-0-1

OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2015-10-28
Comment:        To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment:        * https://cert.microsoft.com.
Comment:
Comment:        For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment:        * abuse@microsoft.com.
Comment:
Comment:        To report security vulnerabilities in Microsoft products and services, please contact:
Comment:        * secure@microsoft.com.
Comment:
Comment:        For legal and law enforcement-related requests, please contact:
Comment:        * msndcc@microsoft.com
Comment:
Comment:        For routing, peering or DNS issues, please
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            https://whois.arin.net/rest/org/MSFT

OrgAbuseHandle: MAC74-ARIN
OrgAbuseName:   Microsoft Abuse Contact
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse@microsoft.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/MAC74-ARIN

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    https://whois.arin.net/rest/poc/MRPD-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
        1 Reply Last reply Reply Quote 0
        • I
          iamzam
          last edited by

          just found this as well, so I guess it's an ongoing thing:

          https://www.abuseipdb.com/report-history/40.76.59.167

          https://www.google.com/search?q=40.76.59.167

          1 Reply Last reply Reply Quote 0
          • First post
            Last post