Security Incidents mailing list archives
Re: Assistance and advice request
From: Bill Pennington <billp () ROCKETCASH COM>
Date: Fri, 28 Jul 2000 13:27:14 -0700
My comments are in line... Kirklin Spencer wrote:
I'm a beginner and looking for pointers. Three days ago I installed SNORT on one of my network computers and started it running. I've got two interesting situations developing and am looking for recommendations on tools and actions. Oh, yes, I'm running NT4 SP6a, and I've a couple of Red Hat Linux boxes I could hook up as well. Situation one. Very Large ICMP packet. The vendor who provides the primary software for our company has a website. Two to four times a day between 9 am and 9 pm each day three (originally two) of my computers receive an ICMP packet consisting of 1462 consecutive 00s. The origin of these packets is the company's web server. The computers receiving this packet are the computers from which I have gone through the website's login screen to the customer support pages on the same server. Approximately 30 hours ago I notified the company and sent them a copy of the log. When they suggested it might be spoofed, I logged onto the website with the third workstation. 20 minutes received a packet. No other computers on my network are being sent these packets. Is there a legitimate reason I might be getting packets of this sort? And what tools and actions should I be using/doing?
It is possible that they are using a network load balancing device that is trying to determine the best path to you or possibly what route you are taking. Only a guess. It would be odd if these where being spoofed from a 3rd party and just happen to be one of the websites you visit.
From a paranoid standpoint it could be a sign of a compromised host. I
really don't think so but without further info I could not rule it out.
Situation two. Slow Scan. Over the past two days I've been receiving a series of pings from an IP address directed at my server. Looking at the data it appears that it is a port scan as snort reports the identifier as Destination unreachable:Port unreachable. I tried nslookup and whois on the ip and get nothing. At this time it's not an attack, but the fact that it's lasted two days and that the intervals reported by snort are between half a second and one hour lead me to suspect that it is a probe. Again, what tools might I use and how should I be using them (and who should I be telling)?
Without more info it is hard to comment on this. Is it the same port # they are hitting each time? What does the payload look like? I good tool to use in tracking down IP addresses is the ARIN database located at http://www.arin.net. That database only indexes US addresses. There are a couple of good whois clients. Also check out http://www.samspade.org/ they have lots of good lookup tools. If you need any help deciphering stuff let me know. I would be happy to take a look at logs or packet dumps if need be.
Thanks, Kirk Spencer
-- Bill Pennington Senior IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- Assistance and advice request Kirklin Spencer (Jul 28)
- Re: Assistance and advice request Greg A. Woods (Jul 29)
- Re: Assistance and advice request Michel Kaempf (Jul 29)
- Re: Assistance and advice request Bill Pennington (Jul 29)
- Re: Assistance and advice request Adam Boileau (Jul 31)