Re: ICMP Time-To-Live Exceeded in Transit

[Erwin Van de Velde <erwin.vandevelde () ua ac be>]

Hi,

By popular demand, here is some more information :-) 
I discovered something by taking a closer look:

The alerts are on inbound packets, with as payload 
org. source ip: 192.168.0.2
org source port: 2048 (ALWAYS!!!???) <<===
org dest ip: differs, external ip's
org dest port: differs, between 40000 and 60000

I didn't read all the alerts as there are to many, but I tested +/- 20 of them 
and these were the results...
I do not think it's a virus, as I'm running a virus scanner (Norton AV 2003) 
there, which is fully updated. I'm especially concerned about the fixed 
source port now... 
Does anybody know about this?

Thanks in advance,
Erwin Van de Velde
Student of Antwerp University,
Belgium



On Tuesday 23 December 2003 12:26, Edin Dizdarevic wrote:
> Hi,
>
> what is in the payload? Those ICMP-packets (usually) transport 8 bytes
> of the packet's header that caused the error. If the originate packets
> are comming from your host(s), than you may probably often use
> traceroute ;). If not, consider creating a passrule for those packets.
> Where is your sensor sitting? On the router or on your computer? You may
> also consider running Snort behind your packet filter (if you have one).
> Your NATing router should only forward ICMP errors that related to your
> connections. *DO NOT BLOCK ICMP* completely, since that may cause more
> problems as it solves.
>
> Hm, the more I think about your problem, the more it is becoming clear
> to me that you simply provided a bit to less information ;) .
>
> Regards,
> Edin
>
> Erwin Van de Velde schrieb:
> > Hi,
> >
> > I'm using snort 2.1.0 and I'm getting quite a lot of these alerts
> > (43% of the total of alerts). All packets that are logged, are going
> > to a computer behind my router. I'm using NAT on the router, and my
> > internal network has only one computer behind it: 192.168.0.2. Router
> > has (DHCP configured IP, 192.168.0.1) as IP addresses. What can I do
> > to get rid of all these messages, except disabling this rule? Is
> > there a way to tweak snort, so that it does not generate these false
> > positives anymore? Is it an error caused by shorewall, that I use on
> > the router for NAT, or is there another reason why these alerts are
> > generated?
> >
> > Thanks in advance,
> >
> > Erwin Van de Velde Student of Antwerp University Belgium
>
> [...]



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users