Snort mailing list archives
Re: Suspicious ICMP traces
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 23 Oct 2001 09:29:36 -0600 (MDT)
On Tue, 23 Oct 2001, Demetri Mouratis wrote:
I'm not really sure so I thought I'd pass this along for second opinions. One thing that raised my suspicions was that the ICMP packet seems to contain a UDP datagram within it. (Or am I jumping the gun on that?)
ICMP unreachable messages contain a portion of the original packet, so that the hosts can determine which packet was rejected.
So, here is the relevant portion of alert: [**] [1:485:1] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] 10/21-20:21:24.622037 12.125.63.42 -> 192.168.75.7
Are you 12.125.63.42? Is 192.168.75.7 the real attacker address, or have you sanitized it? That's a RFC1918 address.
I've got maybe 10,000 of these over a few day period. I'm also seeing portscans from 192.168.75.7 so I'm pretty sure something is not right here.
Well, if you're sending ICMP unreachables in response to being protscanned, that's pretty much what is supposed to happen. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suspicious ICMP traces Demetri Mouratis (Oct 22)
- Re: Suspicious ICMP traces Ryan Russell (Oct 23)
- RE: Suspicious ICMP traces Ofir Arkin (Oct 23)
- RE: Suspicious ICMP traces Demetri Mouratis (Oct 23)
- <Possible follow-ups>
- RE: Suspicious ICMP traces Cessna, Michael (Oct 23)