2.32. IGMP

These log messages refer to the IGMP (IGMP events) category.

2.32.1. querier_election_won (ID: 04200001)

Default Severity
NOTICE
Log Message
Taking on the role of Querier at interface <iface>.
Explanation
This router is now the IGMP Querier at the specified interface.
Firewall Action
None
Recommended Action
None
Revision
1
Parameters
iface

2.32.2. querier_election_lost (ID: 04200002)

Default Severity
NOTICE
Log Message
Lost Querier election to <dest> at interface <iface>.
Explanation
"I" am no longer the IMGP Querier at the specified interface.
Firewall Action
None
Recommended Action
None
Revision
1
Parameters
dest
iface

2.32.3. invalid_dest_ip_address (ID: 04200003)

Default Severity
WARNING
Log Message
Rejected IGMP message directed to unicast IP <ip_dest> at interface <recv_if>.
Explanation
Rejected IGMP message directed to a unicast IP. Possible IGMP DoS attack. Note that sending IGMP messages to a unicast IP is legal with IGMPv1 and IGMPv2, but not recommended.
Firewall Action
drop
Recommended Action
Identify the offending application, upgrade if possible.
Revision
1
Parameters
recv_if
ip_dest
Context Parameters
Packet Buffer

2.32.4. invalid_destination_ethernet_address (ID: 04200004)

Default Severity
WARNING
Log Message
Rejected IGMP message with inconsistent IP/ethernet addresses (<ipdest>/<edest>) at interface <recv_if>.
Explanation
Rejected IGMP message directed to a unicast ethernet. Known IGMP DoS attack.
Firewall Action
drop
Recommended Action
Identify the offending application or user, isolate or upgrade if possible.
Revision
1
Parameters
recv_if
ipdest
edest
Context Parameters
Packet Buffer

2.32.5. failed_restarting_igmp_conn (ID: 04200006)

Default Severity
EMERG
Log Message
Could not restart the IGMP listening conn. Reason: Out of memory
Explanation
Could not restart the IGMP listening conn. The IGMP system is no longer functional since it cannot handle IGMP requests.
Firewall Action
None
Recommended Action
Reboot the system.
Revision
1

2.32.6. invalid_size_query_packet (ID: 04200007)

Default Severity
WARNING
Log Message
Broken IGMP Query at interface <recv_if> (payload exceeds packet size).
Explanation
Harmful condition that potentially could give an attacker full access to the system. May indicate faulty hardware, an attack or experimental software.
Firewall Action
drop
Recommended Action
None, but keep an eye open for malfunctional software/hardware somewhere on the network.
Revision
1
Parameters
recv_if
Context Parameters
Packet Buffer

2.32.7. invalid_query_group_address (ID: 04200008)

Default Severity
ERROR
Log Message
IGMP group specific query at interface <recv_if> about group <grp> (<grp_sat> after being SAT'ed) includes unicast ip address.
Explanation
Unicast IP address found inside group specific query. This is most likely a faulty SAT config.
Firewall Action
drop
Recommended Action
Check your IGMP ruleset to see if a muticast group somehow might be translated into a unicast address.
Revision
1
Parameters
recv_if
grp
grp_sat
Context Parameters
Packet Buffer

2.32.8. igmp_query_dropped (ID: 04200009)

Default Severity
NOTICE
Log Message
Rule <name> dropped IGMP Query about group <grp> and source <src> at interface <if> from router <rip>.
Explanation
Dropped IGMP Query.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
if
rip
igmpver
grp
src
name

2.32.9. igmp_query_received (ID: 04200010)

Default Severity
NOTICE
Log Message
Rule <name> <action> IGMP Query about group <grp> and source <src> at interface <if> from router <rip>. Group <grp> is translated into <sgrp> and source <src> into <ssrc>.
Explanation
Got IGMP Query.
Firewall Action
allow
Recommended Action
None
Revision
1
Parameters
if
rip
igmpver
grp
src
sgrp
ssrc
name
action

2.32.10. bad_src (ID: 04200011)

Default Severity
WARNING
Log Message
Rule <name> drops multicast sender <src> (SAT'ed into <sats>) in group <grp> (SAT'ed into <satg>) specific IGMP Query at interface <iface>.
Explanation
This is most likely a faulty IGMP configuration, but may also indicate faulty software on the network. Under special circumstances this could be an active attempt to scan the network for information.
Firewall Action
drop
Recommended Action
Specifically check your IGMP ruleset for incorrect SAT information (IGMP support requires at least one "REPORT" (Member Report) rule and one matching "QUERY" rule). Make sure both multicast groups and source addresses map one-to-one between Member Reports and Queries. Finally check the network for for other anomalies that could indicate broken equipment or installed "spyware".
Revision
1
Parameters
name
src
grp
sats
satg
iface

2.32.11. igmp_report_received (ID: 04200012)

Default Severity
NOTICE
Log Message
Rule <name> <action> IGMP Member Report concerning group <grp> and source <src> at interface <if> from host <hip>. Group <grp> is translated into <sgrp> and source <src> into <ssrc>
Explanation
Got IGMP Report.
Firewall Action
allow
Recommended Action
None
Revision
1
Parameters
if
hip
igmpver
grp
src
sgrp
ssrc
name
action

2.32.12. packet_includes_aux_data (ID: 04200013)

Default Severity
WARNING
Log Message
IGMP Group record <grp> from interface <recv_if> contains auxilliary data.
Explanation
This software support IGMPv1, IGMPv2 and IGMPv3 and none of them support the feature known as "Auxilliary Data". This is a broken packet.
Firewall Action
drop
Recommended Action
If this is a legal situation and the administrator have no reason to suspect an attack, upgrading this software may solve the problem.
Revision
1
Parameters
recv_if
grp
Context Parameters
Packet Buffer

2.32.13. invalid_size_report_packet (ID: 04200014)

Default Severity
ERROR
Log Message
Broken IGMP Member Report at interface <recv_if>. Group record <grp> makes payload larger than IGMP packet size.
Explanation
Harmful condition that potentially could give an attacker full access to the system. May indicate faulty hardware, an attack or experimental software.
Firewall Action
drop
Recommended Action
None, but keep an eye open for for broken hardware somewhere in the network.
Revision
1
Parameters
recv_if
grp
Context Parameters
Packet Buffer

2.32.14. bad_grp (ID: 04200015)

Default Severity
WARNING
Log Message
Bad IGMP Member Report at interface <iface>: Group record request group <grp> (which is not a multicast group).
Explanation
This is most likely a faulty IGMP config.
Firewall Action
drop
Recommended Action
Specifically check for inconsistent SAT/NAT information in the IGMP config.
Revision
1
Parameters
grp
iface

2.32.15. invalid_report_grp_record (ID: 04200016)

Default Severity
WARNING
Log Message
Bad IGMP Member Report received. Group record <grp> of unknown type <type>.
Explanation
This indicates faulty software/hardware somewhere on the network.
Firewall Action
drop
Recommended Action
None, but keep an eye open for for broken hardware somewhere in the network.
Revision
1
Parameters
grp
type
Context Parameters
Packet Buffer

2.32.16. igmp_report_dropped (ID: 04200017)

Default Severity
NOTICE
Log Message
Rule <name> drops IGMP Member Report concerning group <grp> and source <src> at interface <if> from host <hip>.
Explanation
Dropped IGMP Report.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
if
hip
igmpver
grp
src
sat_grp
sat_src
name

2.32.17. igmp_ruleset_rejects_report (ID: 04200018)

Default Severity
WARNING
Log Message
Rule <name> drops multicast sender <src> for group record <grp> in Member Report at interface <iface>.
Explanation
IGMP Member Report contains an unwanted IP sender.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
name
src
grp
iface

2.32.18. bad_inet (ID: 04200019)

Default Severity
WARNING
Log Message
Rejected IGMP message from incorrect IP <src> at interface <iface>.
Explanation
Rejected IGMP message because it claims to have been sent by "me", but I know I did not send any. Possible IGMP DoS attack, but more likely an IP conflict. .
Firewall Action
drop
Recommended Action
Assign a different IP to the offending application.
Revision
1
Parameters
src
iface
Context Parameters
Packet Buffer

2.32.19. max_global_requests_per_second_reached (ID: 04200020)

Default Severity
WARNING
Log Message
Rejected IGMP message. Global requests per second rate reached
Explanation
Too many IGMP requests received per second. Possible IGMP DoS attack.
Firewall Action
drop
Recommended Action
Increase global IGMPMaxReqs per second limit if more requests are wanted.
Revision
1
Parameters
ipsrc
iface

2.32.20. max_if_requests_per_second_reached (ID: 04200021)

Default Severity
WARNING
Log Message
Rejected IGMP message. Max requests per second and interface rate reached
Explanation
Too many IGMP requests received per second. Possible IGMP DoS attack.
Firewall Action
drop
Recommended Action
Increase IGMPMaxReqsIf per second limit if more requets are wanted.
Revision
1
Parameters
ipsrc
iface

2.32.21. disallowed_igmp_version (ID: 04200022)

Default Severity
NOTICE
Log Message
Disallowed IGMP Version
Explanation
A system is using a too old IGMP version.
Firewall Action
drop
Recommended Action
Upgrade the host/router running the disallowed version, or lower LowestIGMPVer limit.
Revision
1
Parameters
recv_ver
required_ver
Context Parameters
Packet Buffer

2.32.22. received_unknown_igmp_type (ID: 04200023)

Default Severity
NOTICE
Log Message
Dropped IGMP message with unknown type.
Explanation
Invalid IGMP message type received.
Firewall Action
drop
Recommended Action
None, but keep an eye open for malfunctional software/hardware on the network.
Revision
1
Parameters
MSGType
Context Parameters
Packet Buffer

2.32.23. older_querier_present (ID: 04200024)

Default Severity
NOTICE
Log Message
Entering IGMPv<igmpver> Older Querier Present compatibility mode on interface <iface> because of a received General Query from <rip>.
Explanation
The router will use IGMPv[igmpver] when it is snooping/proxying IGMP messages upstream.
Firewall Action
None
Recommended Action
None
Revision
1
Parameters
iface
rip
igmpver

2.32.24. older_querier_gone (ID: 04200025)

Default Severity
NOTICE
Log Message
No IGMPv<igmpver> querier present. Older Querier Present (IGMPv<igmpver>) compatibility mode on interface <iface> has ended. Entering IGMPv<nigmpver> mode.
Explanation
The router has not heard any IGMPv[igmpver] general queries and will switch and use IGMPv[nigmpver] version when snooping/proxying IGMP messages upstream.
Firewall Action
None
Recommended Action
None
Revision
1
Parameters
iface
igmpver
nigmpver