Security Incidents mailing list archives
Assistance and advice request
From: Kirklin Spencer <kspencer () WHITFIELD PUBLIC LIB GA US>
Date: Thu, 27 Jul 2000 16:39:28 -0400
I'm a beginner and looking for pointers. Three days ago I installed SNORT on one of my network computers and started it running. I've got two interesting situations developing and am looking for recommendations on tools and actions. Oh, yes, I'm running NT4 SP6a, and I've a couple of Red Hat Linux boxes I could hook up as well. Situation one. Very Large ICMP packet. The vendor who provides the primary software for our company has a website. Two to four times a day between 9 am and 9 pm each day three (originally two) of my computers receive an ICMP packet consisting of 1462 consecutive 00s. The origin of these packets is the company's web server. The computers receiving this packet are the computers from which I have gone through the website's login screen to the customer support pages on the same server. Approximately 30 hours ago I notified the company and sent them a copy of the log. When they suggested it might be spoofed, I logged onto the website with the third workstation. 20 minutes received a packet. No other computers on my network are being sent these packets. Is there a legitimate reason I might be getting packets of this sort? And what tools and actions should I be using/doing? Situation two. Slow Scan. Over the past two days I've been receiving a series of pings from an IP address directed at my server. Looking at the data it appears that it is a port scan as snort reports the identifier as Destination unreachable:Port unreachable. I tried nslookup and whois on the ip and get nothing. At this time it's not an attack, but the fact that it's lasted two days and that the intervals reported by snort are between half a second and one hour lead me to suspect that it is a probe. Again, what tools might I use and how should I be using them (and who should I be telling)? Thanks, Kirk Spencer
Current thread:
- Assistance and advice request Kirklin Spencer (Jul 28)
- Re: Assistance and advice request Greg A. Woods (Jul 29)
- Re: Assistance and advice request Michel Kaempf (Jul 29)
- Re: Assistance and advice request Bill Pennington (Jul 29)
- Re: Assistance and advice request Adam Boileau (Jul 31)