Snort mailing list archives
RE: What is this?
From: "John Berkers" <berjo () ozemail com au>
Date: Wed, 26 Sep 2001 23:54:39 +1000
Looks like some Time To Live's exceeded in transit. Sometimes this happes because of a routing loop, other times because the TTL on a packet is set too low to reach the intended destination. The TTL is set initially as the maximum number of hops that a packet can travel before being classed as undeliverable. When it is exceeded the ICMP packet that has been alerted on is generated. The TTL in this packet is not indicative of the TTL of the packet who's TTL exceeded. If you have the packet payload you can determine what the original source and destination addresses were as the RFC requires that an initial number of bytes from the original packet be sent back in the payload. All in all it is relatively normal traffic (as is a lot of ICMP stuff), hence the reason icmp.rules is commented out by default. Hope that clarifies things a little. Regards, John Berkers -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Withrow Sent: Wednesday, 26 September 2001 16:05 To: snort-users () lists sourceforge net Subject: [Snort-users] What is this? [**] ICMP Time-To-Live Exceeded in Transit [**] 09/26-01:47:48.167497 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800 len:0x46 213.16.16.1 -> 66.31.82.9 ICMP TTL:237 TOS:0xC0 ID:18643 IpLen:20 DgmLen:56 Type:11 Code:0 TTL EXCEEDED =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ [**] ICMP Time-To-Live Exceeded in Transit [**] 09/26-01:47:51.153975 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800 len:0x46 213.16.16.1 -> 66.31.82.9 ICMP TTL:237 TOS:0xC0 ID:18649 IpLen:20 DgmLen:56 Type:11 Code:0 TTL EXCEEDED =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ [**] ICMP Time-To-Live Exceeded in Transit [**] 09/26-01:47:57.161955 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800 len:0x46 213.16.16.1 -> 66.31.82.9 ICMP TTL:237 TOS:0xC0 ID:18652 IpLen:20 DgmLen:56 Type:11 Code:0 TTL EXCEEDED =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to send alert to a unix socket lingjun (Sep 25)
- What is this? Jason Withrow (Sep 25)
- RE: What is this? John Berkers (Sep 26)
- Re: how to send alert to a unix socket Chris Green (Sep 26)
- What is this? Jason Withrow (Sep 25)