ADFHogan
Regular Contributor
Hey folks,
Happened to stumble across some weird stuff in my router's logs..
I've redacted what could be sensitive information - the reason they look weird to me is that they're listed as originating from the kernel, but they're split unusually (it feels like some of them should be single lines and not split across multiple), and not in the usual format I'd expect firewall notices.
Are these the Asus NAT acceleration?
TrendMicro detection?
Skynet?
Something else?
I'm running diversion lite, skynet, scribe, scmerlin, uiscribe, yazdhcp, dnscrypt.
I have my WiFi disabled as that's handled by completely separate APs.
Skynet normally prefixes log messages with a "[BLOCKED - INBOUND]" or similar and is a clean one line per item.
Just upgraded to 386.3 but messages predate this.
When I look for source and destination ports in these kernel messages, I notice some ports stand out more than others..
Happened to stumble across some weird stuff in my router's logs..
Code:
# grep 'Jul 30.*router kernel:' messages
Jul 30 01:29:35 router kernel: SEQ=redacted ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 30 01:29:35 router kernel: PROTO=UDP SPT=redacted DPT=redacted LEN=106
Jul 30 01:29:35 router kernel: RES=0x00 SYN URGP=0 OPT (REALLYLONGHEXADECIMALNUMBERREDACTEDXXXXX)
Jul 30 01:29:40 router kernel: PROTO=UDP SPT=redacted DPT=redacted LEN=106
Jul 30 01:29:47 router kernel: PROTO=UDP SPT=redacted DPT=redacted LEN=28
Jul 30 01:29:47 router kernel: SPT=redacted DPT=redacted LEN=106
Jul 30 01:29:47 router kernel: PROTO=UDP SPT=redacted DPT=redacted LEN=105
Jul 30 01:29:58 router kernel: SPT=redacted DPT=redacted LEN=28
Jul 30 01:30:02 router kernel: SPT=redacted DPT=redacted LEN=106
Jul 30 01:30:09 router kernel: LONGHEXNUMBERREDACTEDXXX)
Jul 30 01:30:47 router kernel: LONGDECIMALNUMBR)
Jul 30 01:30:53 router kernel: RES=0x00 SYN URGP=0 OPT (LONGHEXNUMBERREDACTEDXXX)
Jul 30 01:30:56 router kernel: SPT=redacted DPT=redacted LEN=106
Jul 30 01:30:56 router kernel: DF PROTO=UDP SPT=redacted DPT=redacted LEN=103
Jul 30 01:31:02 router kernel: TPSTXXXDTXXXXXXX
Jul 30 01:31:02 router kernel: 4DO Neh U=MCd:LO:OK:SL:IK:AM:AC:0SC173.1.4 S=0.7.5.0LN12TS00 RC00 T=9I=0 FPOOUPSTSERIALNUMBER
Jul 30 01:36:07 router kernel: SPT=redacted DPT=redacted LEN=112
Jul 30 02:07:37 router kernel: URGP=0
Jul 30 02:08:57 router kernel: SPT=redacted DPT=redacted SEQ=redacted ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 30 02:15:22 router kernel: SPT=redacted DPT=redacted SEQ=redacted ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
I've redacted what could be sensitive information - the reason they look weird to me is that they're listed as originating from the kernel, but they're split unusually (it feels like some of them should be single lines and not split across multiple), and not in the usual format I'd expect firewall notices.
Are these the Asus NAT acceleration?
TrendMicro detection?
Skynet?
Something else?
I'm running diversion lite, skynet, scribe, scmerlin, uiscribe, yazdhcp, dnscrypt.
I have my WiFi disabled as that's handled by completely separate APs.
Skynet normally prefixes log messages with a "[BLOCKED - INBOUND]" or similar and is a clean one line per item.
Just upgraded to 386.3 but messages predate this.
When I look for source and destination ports in these kernel messages, I notice some ports stand out more than others..
Code:
# xzgrep -h 'router kernel:' messages* | sed -re 's/((SPT|DPT)=[0-9]*)\s/\n\1\n/g' | egrep 'SPT|DPT' | sort | uniq -c | sort -n | tail -n 6
101 DPT=18183
139 SPT=8080
146 DPT=8999
148 DPT=50239
690 SPT=48451
949 DPT=48451