Snort mailing list archives
Re: ICMP messages
From: Neil Sandow <rxlist () rxlist com>
Date: Mon, 8 Sep 2003 14:13:03 -0700 (PDT)
On Mon, 8 Sep 2003, Matt Kettler wrote:
At 10:46 AM 9/8/2003 -0700, Neil Sandow wrote:--------------------------------------------------------------------------- Packet 294372 TIME: 11:23:21.607182 (0.003618) LINK: 00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP IP: 128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48 id=D91D MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F TCP: port 1105 -> 80 seq=0013134530 ack=0000000000 hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0 DATA: <No data> --------------------------------------------------------------------------- indicating that 128.252.140.114 (port 1105) made a request to 129.250.146.18 (port 80) which was then ack'd and so on leading to the firewall ICMP messages. That's why I refer to 129.250.146.18 as the 'server' and 128.252.140.114 as the 'client'. This is wrong?Quite frankly, I don't recognize that dump format, so I was largely ignoring it.. However, now that I've finally managed to figure out the particularly strange method use for denoting the flags field as UAPRSF=xxxxxx (I've never seen a packet dumper do that before), you are correct. I'd venture to guess that they goofed up their firewall rules and are blocking any inbound packets with the syn bit set.. As opposed to blocking any packet with syn and no ack. It hasn't even gotten to the point that a HTTP request was made, so this is very low-level packet-filter type behavior. Probably some form of simple stateless packet filter in a router somewhere.
Thanks, Matt. I get quite a lot of these so I'm glad to have at least some understanding of what's going on here. These days, it seems, everybody has a firewall and probably not everybody knows what they're doing when they set them up. BTW, the dump format came from tcpshow < dump.file after logging packets with tcpdump as: tcpdump -i ethx -s 1518 -w dump.file -Neil ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: ICMP messages Neil Sandow (Sep 08)
- <Possible follow-ups>
- Re: ICMP messages Neil Sandow (Sep 08)