Re: Snort ICMP # 485

[Timm Schneider <timm () mdmarkt de>]

Hi,
the ip 195.143.234.178 is my segment.
That maybe spoofing is the reason that's i know, but why are three diffrent 
ip's in one alert. 

57.72.7.62
57.72.1.170
195.143.234.178( my IP)

For me, my router(FW) becomes an request or whatever(maybe spoofing)
and send a paket back(answer) .
Which server makes the beginning to say this host is not reachable,
my or the other one?
So who makes the alert information my snort or the other router?


Thanks

Timm

Am Montag, 24. November 2003 14:13 schrieb Glenn Forbes Fleming Larratt:
> Not sure what you mean by "i have read what is about #485", but:
>
> ICMP is often part of a so-called "protocol bender", in that an ICMP
> packet often occurs as a response to a non-ICMP packet, usually to
> report some error condition. Some of the most common ICMP messages in
> this case include "unreachable" messages of various sorts and
> "timeout" messages for packet time-to-live (which is used for
> UNIX-based traceroute - see
>
> http://www.exit109.com/~jeremy/news/providers/traceroute.html
>
> ) or fragment reassembly.
>
> The ICMP packets that this rule alerts on are of a slightly different
> character. An "administratively prohibited" ICMP message is sent when
> a host - usually a router - has access control configured into it that
> doesn't allow the traffic that was sent.
>
> A simple example: if your border router doesn't allow connections to
> services that are commonly unencrypted, say telnet, SNMP, POP, and IMAP,
> you'd have a Cisco ACL that looked like:
>
>   access-list 101 deny tcp any any eq 23
>   access-list 101 deny tcp any any eq 110
>   access-list 101 deny tcp any any eq 143
>   access-list 101 deny udp any any eq 161
>   access-list 101 permit ip any any
>
> , then the default behavior of your Cisco router when someone tries to
> telnet in is for the border router (*not* the target host) to return
> this ICMP message to the initiating host, with a copy of the packet
> ("Original Datagram Dump") that triggered it in the ICMP packet's
> payload.
>
> In your particular example, host 195.143.234.178 tried to send a
> packet - it's not clear from the data you submitted what sort of
> packet - to host 57.72.7.62; however the router with address
> 57.72.1.170 dropped the packet, and sent this ICMP packet to notify
> the sending host of the problem.
>
> If 195.143.0.0/16 or some subset is your network, then either your
> host 195.143.234.178 might bear some inspection, or someone might be
> spoofing (forging) your address space.
>
> If 57.72.0.0/16 or some subset is your network, then someone at
> 195.143.234.178 (or spoofing that address) may have been probing your
> border.
>
> More data would help :)
>
>       -g
>
> On Mon, 24 Nov 2003, Timm Schneider wrote:
> > Hi all,
> >
> > in my Alerts File there is often the entry #485 d.h. ICMP
> > Administrative Prohibited.
> > On the Snort site i have read what is about #485.
> > Now i have a question what exactly mean this.
> >
> >
> > 11/22-05:59:19.952942       57.72.1.170 ->  195.143.234.178
> >  Date-Hour           ???                                               
> > my IP
> >
> > Packet Filtered
> >
> > Original Datagram Dump
> >
> > 195.143.234.178 -> 57.72.7.62
> >
> >
> > Why are the IP's not identical ?
> > What means that?
> >
> > Snort becomes tho know the real Spoofing Address?
> >
> >
> > Thanks in advance.
> >
> >
> >
> > Timm Schneider
> > -------------------
> > Musik-digital-Markt
> > Siegesstr.22a
> > 80802 München
> > Voice: 089/ 51997011
> > Fax: 089/ 51997012
> > www.mdmarkt.de
> > HD-Recording
> > Netzwerktechnik
> > Studiotechnik
> > Unsere Mails werden mit Kaspersky AVP Virenscan geprüft.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: SF.net Giveback Program.
> > Does SourceForge.net help you b
>
>                               Glenn Forbes Fleming Larratt
>                               Rice University Networking
>                               glratt () rice edu
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listžort-users

-- 
Timm Schneider
-------------------
Musik-digital-Markt
Siegesstr.22a
80802 München
Voice: 089/ 51997011
www.mdmarkt.de
HD-Recording
Netzwerktechnik
Studiotechnik
Unsere Mails werden mit Kaspersky AVP Virenscan geprüft.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users