Snort mailing list archives
Re: ICMP Echo Replies & Unknowns?
From: Phil Wood <cpw () lanl gov>
Date: Thu, 28 Jun 2001 12:07:27 -0600
In my case the problem of trash icmp types and codes is the result of a problem with snort. It appears related to the defrag preprocessor. I have documented, using tcpdump and snort in parallel, that valid ICMP packets (as seen by tcpdump), end up in snort with some memory (not associated with any packet) appended to a perfectly valid IP header (with proto of ICMP). Tcpdump shows two fragments (out of order) which together make up an icmp packet. Snort's defrag constructs the complete ICMP packet with the identical IP header, but crud from some place in snort's memory as ICMP header and DATA. This is not the entire story. I'm waiting for the rest of the story. The problem cannot be duplicated by sending snort the fragments from the tcpdump file (-r). So, there are other things going on. It's entirely possible that the defrag preprocessor is just doing its job, and some other module in snort is making mincemeat out of defrag's control or data memory. It's just a matter of a memory pointer changing, prior to the construction of the packet to be shipped into the rules processsor, or in the rules processor itself. Has anyone else looked into this problem? On Thu, Jun 28, 2001 at 10:43:28AM +0100, Matthew Collins wrote:
I get all sorts of this stuff too, also ICMP destination unreachable messages for packets we haven't sent. Most of this is fallout from DOS attacks & people spoofing our IP addresses."Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> 28/06/01 05:59:48 >>>Every day, I see many "ICMP Echo Replies" and "ICMP unknowns" from random machines on the Internet. Some example traces are below...these packets came back to back three seconds apart (icmp unknown then icmp echo reply right afterward). Does anyone know why I would see so many of these? Could this come from a probing tool? I see so many, I'm trying to figure out what's going on! Thanks. **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Echo Replies & Unknowns? Sheahan, Paul (PCLN-NW) (Jun 27)
- <Possible follow-ups>
- Re: ICMP Echo Replies & Unknowns? Matthew Collins (Jun 28)
- Re: ICMP Echo Replies & Unknowns? Phil Wood (Jun 28)