Odd flags logged



  • I have never seen this combination of flags, and from an M$ IP range no less.  Yikes.  Does anyone have any insight into what caused this combination of flags?  It may only be two actual packets because I have rules that only match on unknown flag combinations and there are only two distinct times logged.

    
    Mar 20 14:23:54 fw filterlog: 143,16777216,,1456347399,em1,match,unkn(%u),in,4,0x22,0,114,63190,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
    Mar 20 14:23:54 fw filterlog: 151,16777216,,1456347426,em1,match,unkn(%u),in,4,0x22,0,114,63190,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
    Mar 20 14:23:54 fw filterlog: 317,16777216,,1446645102,em1,match,block,in,4,0x22,0,114,63190,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
    Mar 20 14:23:58 fw filterlog: 143,16777216,,1456347399,em1,match,unkn(%u),in,4,0x22,0,114,31068,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
    Mar 20 14:23:58 fw filterlog: 151,16777216,,1456347426,em1,match,unkn(%u),in,4,0x22,0,114,31068,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
    Mar 20 14:23:58 fw filterlog: 317,16777216,,1446645102,em1,match,block,in,4,0x22,0,114,31068,0,none,6,tcp,52,40.76.59.167,1.2.3.4,1032,22,0,SEC,599887371,,8192,,mss;nop;wscale;nop;nop;sackOK
    
    

    Also does anyone know the format for these logs?  Where can I find the definition for all the fields?  I assume one of them is tcp sequence?



  • oh and

    
    $ whois 40.76.59.167
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    #
    # Query terms are ambiguous.  The query is assumed to be:
    #     "n 40.76.59.167"
    #
    # Use "?" to get help.
    #
    
    #
    # The following results may also be obtained via:
    # https://whois.arin.net/rest/nets;q=40.76.59.167?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
    #
    
    NetRange:       40.74.0.0 - 40.125.127.255
    CIDR:           40.125.0.0/17, 40.112.0.0/13, 40.120.0.0/14, 40.96.0.0/12, 40.76.0.0/14, 40.124.0.0/16, 40.80.0.0/12, 40.74.0.0/15
    NetName:        MSFT
    NetHandle:      NET-40-74-0-0-1
    Parent:         NET40 (NET-40-0-0-0-0)
    NetType:        Direct Assignment
    OriginAS:
    Organization:   Microsoft Corporation (MSFT)
    RegDate:        2015-02-23
    Updated:        2015-05-27
    Ref:            https://whois.arin.net/rest/net/NET-40-74-0-0-1
    
    OrgName:        Microsoft Corporation
    OrgId:          MSFT
    Address:        One Microsoft Way
    City:           Redmond
    StateProv:      WA
    PostalCode:     98052
    Country:        US
    RegDate:        1998-07-10
    Updated:        2015-10-28
    Comment:        To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
    Comment:        * https://cert.microsoft.com.
    Comment:
    Comment:        For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
    Comment:        * abuse@microsoft.com.
    Comment:
    Comment:        To report security vulnerabilities in Microsoft products and services, please contact:
    Comment:        * secure@microsoft.com.
    Comment:
    Comment:        For legal and law enforcement-related requests, please contact:
    Comment:        * msndcc@microsoft.com
    Comment:
    Comment:        For routing, peering or DNS issues, please
    Comment:        contact:
    Comment:        * IOC@microsoft.com
    Ref:            https://whois.arin.net/rest/org/MSFT
    
    OrgAbuseHandle: MAC74-ARIN
    OrgAbuseName:   Microsoft Abuse Contact
    OrgAbusePhone:  +1-425-882-8080
    OrgAbuseEmail:  abuse@microsoft.com
    OrgAbuseRef:    https://whois.arin.net/rest/poc/MAC74-ARIN
    
    OrgTechHandle: MRPD-ARIN
    OrgTechName:   Microsoft Routing, Peering, and DNS
    OrgTechPhone:  +1-425-882-8080
    OrgTechEmail:  IOC@microsoft.com
    OrgTechRef:    https://whois.arin.net/rest/poc/MRPD-ARIN
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    



Log in to reply