Snort mailing list archives

Re: Suspicious ICMP traces

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 23 Oct 2001 09:29:36 -0600 (MDT)

On Tue, 23 Oct 2001, Demetri Mouratis wrote:

I'm not really sure so I thought I'd pass this along for second opinions.
One thing that raised my suspicions was that the ICMP packet seems to
contain a UDP datagram within it.  (Or am I jumping the gun on that?)


ICMP unreachable messages contain a portion of the original packet, so
that the hosts can determine which packet was rejected.


So, here is the relevant portion of alert:

[**] [1:485:1] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
10/21-20:21:24.622037 12.125.63.42 -> 192.168.75.7


Are you 12.125.63.42?  Is 192.168.75.7 the real attacker address, or have
you sanitized it?  That's a RFC1918 address.

I've got maybe 10,000 of these over a few day period.  I'm also seeing
portscans from 192.168.75.7 so I'm pretty sure something is not right
here.


Well, if you're sending ICMP unreachables in response to being
protscanned, that's pretty much what is supposed to happen.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Suspicious ICMP traces Demetri Mouratis (Oct 22)
- Re: Suspicious ICMP traces Ryan Russell (Oct 23)
- RE: Suspicious ICMP traces Ofir Arkin (Oct 23)
  - RE: Suspicious ICMP traces Demetri Mouratis (Oct 23)
- <Possible follow-ups>
- RE: Suspicious ICMP traces Cessna, Michael (Oct 23)