Snort mailing list archives
ICMP messages
From: Neil Sandow <rxlist () rxlist com>
Date: Fri, 5 Sep 2003 12:03:50 -0700 (PDT)
I'm trying to get to the bottom of alert messages like this one:
[**] [1:485:2] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
09/05-11:23:30.729265 128.252.1.229 -> 129.250.146.18
ICMP TTL:245 TOS:0x0 ID:1981 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
129.250.146.18:0 -> 128.252.140.114:0
TCP TTL:52 TOS:0x0 ID:11009 IpLen:20 DgmLen:44
Seq: 0x6E4516BA Ack: 0xA2D4583F
** END OF DUMP
While I had snort running I was also running tcpdump so I could get a
fuller picture on the traffic from complaining ip's.
With the above alert I found several packets in the binary dump from
tcpdump indicating that 128.252.140.114 had connected to port 80 and
requested a web page:
<snip>
---------------------------------------------------------------------------
Packet 294372
TIME: 11:23:21.607182 (0.003618)
LINK: 00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
IP: 128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48
id=D91D
MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F
TCP: port 1105 -> 80 seq=0013134530 ack=0000000000
hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA: <No data>
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 294373
TIME: 11:23:21.607497 (0.000315)
LINK: 00:10:5A:82:D3:69 -> 00:01:97:4B:A2:9E type=IP
IP: 129.250.146.18 -> 128.252.140.114 hlen=20 TOS=00 dgramlen=44
id=236A
MF/DF=0/0 frag=0 TTL=63 proto=TCP cksum=36E7
TCP: port 80 -> 1105 seq=1850021562 ack=0013134531
hlen=24 (data=0) UAPRSF=010010 wnd=65535 cksum=816F urg=0
DATA: <No data>
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 294398
TIME: 11:23:21.663391 (0.006901)
LINK: 00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
IP: 128.252.1.229 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=56 id=07A1
MF/DF=0/0 frag=0 TTL=245 proto=ICMP cksum=2736
ICMP: destination-unreachable because trafffic-prohibited-by-filter
cksum=7352
DATA: ....E..,#j..4.A........r.P.QnE..
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 295885
TIME: 11:23:24.658763 (0.000513)
LINK: 00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
IP: 128.252.1.229 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=56 id=07AA
MF/DF=0/0 frag=0 TTL=245 proto=ICMP cksum=272D
ICMP: destination-unreachable because trafffic-prohibited-by-filter
cksum=7352
DATA: ....E..,'...4.>5.......r.P.QnE..
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 295905
TIME: 11:23:24.678611 (0.000203)
LINK: 00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
IP: 128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48
id=DB1D
MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0B2F
TCP: port 1105 -> 80 seq=0013134530 ack=0000000000
hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA: <No data>
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 295907
TIME: 11:23:24.678876 (0.000214)
LINK: 00:10:5A:82:D3:69 -> 00:01:97:4B:A2:9E type=IP
IP: 129.250.146.18 -> 128.252.140.114 hlen=20 TOS=00 dgramlen=44
id=2729
MF/DF=0/0 frag=0 TTL=63 proto=TCP cksum=3328
TCP: port 80 -> 1105 seq=1850021562 ack=0013134531
hlen=24 (data=0) UAPRSF=010010 wnd=65535 cksum=816F urg=0
DATA: <No data>
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 296437
TIME: 11:23:26.327234 (0.035164)
LINK: 00:10:5A:82:D3:69 -> 00:01:97:4B:A2:9E type=IP
IP: 129.250.146.18 -> 128.252.140.114 hlen=20 TOS=00 dgramlen=1500
id=5F54
MF/DF=0/1 frag=0 TTL=63 proto=TCP cksum=B54C
TCP: port 80 -> 1107 seq=3732292037 ack=0013139065
hlen=20 (data=1460) UAPRSF=010000 wnd=65535 cksum=004F urg=0
DATA: HTTP/1.1 200 OK.
Date: Fri, 05 Sep 2003 18:23:25 GMT.
Server: Apache/1.3.23 (Unix) mod_perl/1.27.
Keep-Alive: timeout=15, max=100.
Connection: Keep-Alive.
Transfer-Encoding: chunked.
Content-Type: text/html.
.
fe7.
<html>
<head>
<title>RxList drug search results page yields brand generic
therapeutic category with links to professional and patient
oriented monographs"</title>
<meta http-equiv="Content-Type" content="text/html; charset=
iso-8859-1">
<STYLE TYPE="text/css">
a:link {
color:6600FF;
font-family: verdana,arial,helvetica;
}
a:visited {
color:990000;
font-family: verdana,arial,helvetica;
}
a:hover {
font-family: verdana,arial,helvetica;
}
a:active {
color:006600;
font-family: verdana,arial,helvetica;
}
BODY, TD { font-size: 12px ; color: #000000;
font-family: v
erdana,arial,helvetica;}
.txt10bk { color: #000000; font-size: 10px ; font-weight:
10
0%; font-family: verdana,arial,helvetica;}
.txt11bk { color: #000000; font-size: 11px ; font-weight:
10
0%; font-family: verdana,arial,helvetica;}
.txt12bk { color: #000000; font-size: 12px ; font-weight:
10
0%; font-family: verdana,arial,helvetica;}
.txt13bk { color: #000000; font-size: 13px ; font-weight:
10
0%; font-family: verdana,arial,helvetica;}
.txt14bk { color: #000000; font-size: 14px ; font-weight:
10
0%; font-family: verdana,arial,helvetica;}
.btxt10bk { color: #000000; font-size: 10px ; font-weight: 7
00; font-family: verdana,arial,helvetica;}
.btxt11bk { col
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 298420
TIME: 11:23:30.729259 (0.002923)
LINK: 00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
IP: 128.252.1.229 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=56 id=07BD
MF/DF=0/0 frag=0 TTL=245 proto=ICMP cksum=271A
ICMP: destination-unreachable because trafffic-prohibited-by-filter
cksum=7352
DATA: ....E..,+...4.:P.......r.P.QnE..
---------------------------------------------------------------------------
Is this the result of a client (128.252.140.114) behind a firewall making
an http request that the firewall (128.252.1.229 ?) does not allow?
Thanks! -Neil
===================
Neil Sandow, Pharm.D. rx () rxlist com
http://rxlist.com - The Internet Drug Index
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snortsam and snortcetner unknown index (Sep 05)
- ICMP messages Neil Sandow (Sep 05)