Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP messages

From: Neil Sandow <rxlist () rxlist com>
Date: Mon, 8 Sep 2003 14:13:03 -0700 (PDT)


On Mon, 8 Sep 2003, Matt Kettler wrote:


At 10:46 AM 9/8/2003 -0700, Neil Sandow wrote:

---------------------------------------------------------------------------
Packet 294372
TIME:   11:23:21.607182 (0.003618)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48
id=D91D
        MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F
 TCP:   port 1105 -> 80 seq=0013134530 ack=0000000000
        hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA:   <No data>
---------------------------------------------------------------------------

indicating that 128.252.140.114 (port 1105) made a request to
129.250.146.18 (port 80) which was then ack'd and so on leading to the
firewall ICMP messages.  That's why I refer to 129.250.146.18 as the
'server' and 128.252.140.114 as the 'client'.   This is wrong?


Quite frankly, I don't recognize that dump format, so I was largely
ignoring it..

However, now that I've finally managed to figure out the particularly
strange method use for denoting the flags field as UAPRSF=xxxxxx (I've
never seen a packet dumper do that before), you are correct.

I'd venture to guess that they goofed up their firewall rules and are
blocking any inbound packets with the syn bit set.. As opposed to blocking
any packet with syn and no ack.

It hasn't even gotten to the point that a HTTP request was made, so this is
very low-level packet-filter type behavior. Probably some form of simple
stateless packet filter in a router somewhere.



Thanks, Matt.  I get quite a lot of these so I'm glad to have at least
some understanding of what's going on here.  These days, it seems,
everybody has a firewall and probably not everybody knows what they're
doing when they set them up.

BTW, the dump format came from tcpshow < dump.file after logging packets
with tcpdump as:

tcpdump -i ethx -s 1518 -w dump.file

-Neil



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: