search cancel

Security Analytics messages file shows a lot of packets labled "martian source"

book

Article ID: 175384

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

When you look at /var/log/messages you see a lot of lines like these:

2019-07-01T11:01:06+03:00 SAhost kernel: : [4057421.645676] IPv4: martian source 192.168.1.0 from 0.0.0.0, on dev bond0

 

 

Cause

The definition for a Martian packet is that it contains a source or destination address that is reserved for special use by the IANA

The fact that you see these packets in Security Analytics is not necessarily pointing towards a security issue.

These packets can be generated by some network tool or by a misconfigured network device, they may however be used in DOS attacks.

 

Resolution

If you want to suppress the looging of these messages you can do this.

The messages in question are controlled by settings in /etc/sysctl.conf:

[[email protected] ~]# grep martian /etc/sysctl.conf
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

Setting both these settings to zero will suppress the messages. This may be useful if you know the presence of  martian packets to be of benign nature but you do not want the messages file to be flooded with information about them.