From owner-freebsd-net@FreeBSD.ORG Wed Sep 4 01:58:02 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id AC549520 for ; Wed, 4 Sep 2013 01:58:02 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-ee0-x236.google.com (mail-ee0-x236.google.com [IPv6:2a00:1450:4013:c00::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 448CA2EB0 for ; Wed, 4 Sep 2013 01:58:02 +0000 (UTC) Received: by mail-ee0-f54.google.com with SMTP id e53so3381023eek.13 for ; Tue, 03 Sep 2013 18:58:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=xOIUDM2W4O+LSy4G/Co7bX8CD0jL50bFaU3jUUOl2j4=; b=FvNN2ByelfWCc6acFKelafuzZU8rRoqmSkRQXEE0MVppZv9Ur8JN0ahfhNiNkM3sei D7PowEoghKhkMS4CEGIbd7L4TH2HRVgRE01MRvinVCfRV6+FuGmIsBdxRIhWuRUtH2Cp 1kpTl4emHPdiWNOKO+3M2EFeNDWoS7pVmgbVspaYxMPudHmpHI1Tnyiu0phIqL3vXsgT AK6eGFkLM6EqB4PkqO4x3xt6t+2j+ENfwNymt7iBFqQ9Xw9MMLP7oc1EtBCnbEsoBo12 qENdkHneZ94gv621n3/heH0JwlWjgQlomtTKg9ZjMlqRU2PHejKIrTBeIvdKIGTMSKAF rabA== MIME-Version: 1.0 X-Received: by 10.14.210.8 with SMTP id t8mr479366eeo.39.1378259880614; Tue, 03 Sep 2013 18:58:00 -0700 (PDT) Received: by 10.14.142.209 with HTTP; Tue, 3 Sep 2013 18:58:00 -0700 (PDT) In-Reply-To: <20130904000959.GG19904@verio.net> References: <20130904000959.GG19904@verio.net> Date: Tue, 3 Sep 2013 18:58:00 -0700 Message-ID: Subject: Re: Question regarding security run output From: Kurt Buff To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 01:58:02 -0000 On Tue, Sep 3, 2013 at 5:09 PM, David DeSimone wrote: > Kurt Buff wrote: >> >> Over the three-day US weekend, I was working on some stuff, and found an >> interesting set of entries in the daily security run emails all three days. >> >> The output looks as follows: >> >> ntop.example.com kernel log messages: >> >> +++ /tmp/security.IUGsscCR 2013-08-26 03:02:24.000000000 -0700 >> >> +arp: unknown hardware address format (0x4500) (from 00:05:b7:de:cd:79 to >> 72:6e:61:6c:2c:70) >> >> +arp: unknown hardware address format (0x0100) (from 00:05:b7:de:cd:79 to >> 6c:3d:31:37:2c:6e) >> >> +arp: unknown hardware address format (0x4500) (from 00:05:b7:de:cd:a3 to >> 77:72:69:74:74:65) >> >> +arp: unknown hardware address format (0x0000) (from 00:05:b7:de:cd:71 to >> 2d:0d:0a:62:6f:64) > > These are all interesting because the destination MAC address is > composed entirely of valid ASCII characters. > > 72:6e:61:6c:2c:70 = "rnal,p" > > 6c:3d:31:37:2c:6e = "l=17,n" > > 77:72:69:74:74:65 = "writte" > > 2d:0d:0a:62:6f:64 = "-\r\nbod" That is indeed interesting. >> This box is monitoring a mirror port on a procurve switch, using an >> unnumbered interface. >> >> My investigation led me to the engineering lab, and I'm querying them >> regarding the equipment, but I don't know what the above entries signal. >> Does anyone have a clue they can throw me on this? >> >> I also find it interesting that the MAC addresses are either unknown, or >> belong to Arbor Networks. We don't have any Arbor Networks equipment, >> though I suppose they could vend them to an OEM. I'm going to see if I can >> trace them down and get some idea of what's running around in that lab. > > > Is there some hardware NIC fault causing DMA from random places in > memory on these devices, or some other data leak propogating through the > stack on them? It is probably worth capturing the odd packets and > analyzing them further to see why they look the way they do. Unknown, but the units in that lab are a system/product under development, and after talking with them this afternoon, they did mention they were having some problems. I shall pass your tidbits on to them, and see if it rings a bell for them. Many thanks for the help. Kurt