Security Analytics messages file shows a lot of packets labled "martian source"
Article ID: 175384
Updated On: 08-30-2019
Products
Issue/Introduction
When you look at /var/log/messages you see a lot of lines like these:
2019-07-01T11:01:06+03:00 SAhost kernel: : [4057421.645676] IPv4: martian source 192.168.1.0 from 0.0.0.0, on dev bond0
Cause
The definition for a Martian packet is that it contains a source or destination address that is reserved for special use by the IANA
The fact that you see these packets in Security Analytics is not necessarily pointing towards a security issue.
These packets can be generated by some network tool or by a misconfigured network device, they may however be used in DOS attacks.
Resolution
If you want to suppress the looging of these messages you can do this.
The messages in question are controlled by settings in /etc/sysctl.conf:
[root@s228 ~]# grep martian /etc/sysctl.conf net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1
Setting both these settings to zero will suppress the messages. This may be useful if you know the presence of martian packets to be of benign nature but you do not want the messages file to be flooded with information about them.
Feedback
