Snort mailing list archives
Re: Snort ICMP # 485
From: Timm Schneider <timm () mdmarkt de>
Date: Mon, 24 Nov 2003 15:45:35 +0100
Hi, the ip 195.143.234.178 is my segment. That maybe spoofing is the reason that's i know, but why are three diffrent ip's in one alert. 57.72.7.62 57.72.1.170 195.143.234.178( my IP) For me, my router(FW) becomes an request or whatever(maybe spoofing) and send a paket back(answer) . Which server makes the beginning to say this host is not reachable, my or the other one? So who makes the alert information my snort or the other router? Thanks Timm Am Montag, 24. November 2003 14:13 schrieb Glenn Forbes Fleming Larratt:
Not sure what you mean by "i have read what is about #485", but: ICMP is often part of a so-called "protocol bender", in that an ICMP packet often occurs as a response to a non-ICMP packet, usually to report some error condition. Some of the most common ICMP messages in this case include "unreachable" messages of various sorts and "timeout" messages for packet time-to-live (which is used for UNIX-based traceroute - see http://www.exit109.com/~jeremy/news/providers/traceroute.html ) or fragment reassembly. The ICMP packets that this rule alerts on are of a slightly different character. An "administratively prohibited" ICMP message is sent when a host - usually a router - has access control configured into it that doesn't allow the traffic that was sent. A simple example: if your border router doesn't allow connections to services that are commonly unencrypted, say telnet, SNMP, POP, and IMAP, you'd have a Cisco ACL that looked like: access-list 101 deny tcp any any eq 23 access-list 101 deny tcp any any eq 110 access-list 101 deny tcp any any eq 143 access-list 101 deny udp any any eq 161 access-list 101 permit ip any any , then the default behavior of your Cisco router when someone tries to telnet in is for the border router (*not* the target host) to return this ICMP message to the initiating host, with a copy of the packet ("Original Datagram Dump") that triggered it in the ICMP packet's payload. In your particular example, host 195.143.234.178 tried to send a packet - it's not clear from the data you submitted what sort of packet - to host 57.72.7.62; however the router with address 57.72.1.170 dropped the packet, and sent this ICMP packet to notify the sending host of the problem. If 195.143.0.0/16 or some subset is your network, then either your host 195.143.234.178 might bear some inspection, or someone might be spoofing (forging) your address space. If 57.72.0.0/16 or some subset is your network, then someone at 195.143.234.178 (or spoofing that address) may have been probing your border. More data would help :) -g On Mon, 24 Nov 2003, Timm Schneider wrote:Hi all, in my Alerts File there is often the entry #485 d.h. ICMP Administrative Prohibited. On the Snort site i have read what is about #485. Now i have a question what exactly mean this. 11/22-05:59:19.952942 57.72.1.170 -> 195.143.234.178 Date-Hour ??? my IP Packet Filtered Original Datagram Dump 195.143.234.178 -> 57.72.7.62 Why are the IP's not identical ? What means that? Snort becomes tho know the real Spoofing Address? Thanks in advance. Timm Schneider ------------------- Musik-digital-Markt Siegesstr.22a 80802 München Voice: 089/ 51997011 Fax: 089/ 51997012 www.mdmarkt.de HD-Recording Netzwerktechnik Studiotechnik Unsere Mails werden mit Kaspersky AVP Virenscan geprüft. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you bGlenn Forbes Fleming Larratt Rice University Networking glratt () rice edu ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users
-- Timm Schneider ------------------- Musik-digital-Markt Siegesstr.22a 80802 München Voice: 089/ 51997011 www.mdmarkt.de HD-Recording Netzwerktechnik Studiotechnik Unsere Mails werden mit Kaspersky AVP Virenscan geprüft. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort ICMP # 485 Timm Schneider (Nov 24)
- Re: Snort ICMP # 485 Glenn Forbes Fleming Larratt (Nov 24)
- Re: Snort ICMP # 485 Timm Schneider (Nov 24)
- Re: Snort ICMP # 485 Glenn Forbes Fleming Larratt (Nov 24)