Snort mailing list archives
Re: ICMP Time-To-Live Exceeded in Transit
From: Erwin Van de Velde <erwin.vandevelde () ua ac be>
Date: Tue, 23 Dec 2003 13:02:56 +0100
Hi, By popular demand, here is some more information :-) I discovered something by taking a closer look: The alerts are on inbound packets, with as payload org. source ip: 192.168.0.2 org source port: 2048 (ALWAYS!!!???) <<=== org dest ip: differs, external ip's org dest port: differs, between 40000 and 60000 I didn't read all the alerts as there are to many, but I tested +/- 20 of them and these were the results... I do not think it's a virus, as I'm running a virus scanner (Norton AV 2003) there, which is fully updated. I'm especially concerned about the fixed source port now... Does anybody know about this? Thanks in advance, Erwin Van de Velde Student of Antwerp University, Belgium On Tuesday 23 December 2003 12:26, Edin Dizdarevic wrote:
Hi, what is in the payload? Those ICMP-packets (usually) transport 8 bytes of the packet's header that caused the error. If the originate packets are comming from your host(s), than you may probably often use traceroute ;). If not, consider creating a passrule for those packets. Where is your sensor sitting? On the router or on your computer? You may also consider running Snort behind your packet filter (if you have one). Your NATing router should only forward ICMP errors that related to your connections. *DO NOT BLOCK ICMP* completely, since that may cause more problems as it solves. Hm, the more I think about your problem, the more it is becoming clear to me that you simply provided a bit to less information ;) . Regards, Edin Erwin Van de Velde schrieb:Hi, I'm using snort 2.1.0 and I'm getting quite a lot of these alerts (43% of the total of alerts). All packets that are logged, are going to a computer behind my router. I'm using NAT on the router, and my internal network has only one computer behind it: 192.168.0.2. Router has (DHCP configured IP, 192.168.0.1) as IP addresses. What can I do to get rid of all these messages, except disabling this rule? Is there a way to tweak snort, so that it does not generate these false positives anymore? Is it an error caused by shorewall, that I use on the router for NAT, or is there another reason why these alerts are generated? Thanks in advance, Erwin Van de Velde Student of Antwerp University Belgium[...]
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Time-To-Live Exceeded in Transit Erwin Van de Velde (Dec 20)
- <Possible follow-ups>
- ICMP Time-To-Live Exceeded in Transit Erwin Van de Velde (Dec 23)
- Re: ICMP Time-To-Live Exceeded in Transit Edin Dizdarevic (Dec 23)
- Re: ICMP Time-To-Live Exceeded in Transit Erwin Van de Velde (Dec 23)
- Re: ICMP Time-To-Live Exceeded in Transit Edin Dizdarevic (Dec 23)
- Re: ICMP Time-To-Live Exceeded in Transit Edin Dizdarevic (Dec 23)