Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Log entry

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Tue, 26 Feb 2002 14:16:06 -0500
ID=38386 PROTO=ICMP TYPE=3 CODE=3


ICMP code 3 is a "Port Unreachable" message for closed UDP port.


aa.aa.aaa.aaa DST=(me)xxx.xxx.xxx.xxx LEN=78 
TOS=0x00 PREC=0x00 TTL=112 ID=20908 PROTO=UDP 
SPT=1046 DPT=137 LEN=58 ]


I am not really familiar if iptables log format, but this looks like the IP
header of the original message. 

- Jeff

-----Original Message-----
From: Scott Taylor [mailto:scottt () soccer com]
Sent: Tuesday, February 26, 2002 1:07 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Log entry


I was wondering if anyone could help me decipher 
this log entry. Or direct me to some place that 
could:

Feb 26 08:13:09 GENESIS1 kernel: IN= OUT=eth0 
SRC=(me)xxx.xxx.xxx.xxx DST=(outside)
aa.aa.aaa.aaa LEN=106 TOS=0x00 PREC=0xC0 TTL=255 
ID=38386 PROTO=ICMP TYPE=3 CODE=3 [SRC=(outside)
aa.aa.aaa.aaa DST=(me)xxx.xxx.xxx.xxx LEN=78 
TOS=0x00 PREC=0x00 TTL=112 ID=20908 PROTO=UDP 
SPT=1046 DPT=137 LEN=58 ]

I'm using iptables. I know OUT=eth0 is where the 
packet got dropped SRC=(me) is my external if. 
DST=(outside) is someone else. Why is there a 
second set of SRC and DST? the braketed part? 
[SRC=(outside) DST=(me) PROTO is UDP and source 
port is 1046 destination port is 137]

Now I know 137 is a window port. I guess I'm 
confused as to who generated the packet. Me or 
The outside IP, because the first source says 
it's me, and the second say's its the outside.

Is this a spoofing type attack perhaps?

Thanks for any input. 

Cheers,
Scott.
NOTE: I didn't post the IP's this time ;)

THERE IS ONLY ONE... 
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: