Snort mailing list archives

Previous By Date Next
Previous By Thread Next

A little help with an alert

From: "Terry Carlton" <lists () ironcomet com>
Date: Tue, 29 Oct 2002 13:01:39 -0500
Hello all. I have two Snort sensors on my network. The first is on a IPCop
firewall at the perimeter. The second is behind the firewall and it catches
everything on the inside.

On the inside, I am running Snort 1.9 and the IPCop box is 1.8.

I have a strange alert that is popping up in record numbers. This is from
the IPCop Snort logs-

Date: 10/28 10:20:43 Name: ICMP Source Quench
Priority: 2 Type: Potentially Bad Traffic
IP info: 193.171.121.21:n/a -> 65.xxx.xxx.xxx:n/a
References: none found

Date: 10/28 10:36:29 Name: ICMP Source Quench
Priority: 2 Type: Potentially Bad Traffic
IP info: 193.171.121.21:n/a -> 65.xxx.xxx.xxx:n/a
References: none found

Date: 10/28 10:39:59 Name: ICMP Source Quench
Priority: 2 Type: Potentially Bad Traffic
IP info: 193.171.121.21:n/a -> 65.xxx.xxx.xxx:n/a
References: none found

Date: 10/28 10:40:52 Name: ICMP Source Quench
Priority: 2 Type: Potentially Bad Traffic
IP info: 193.171.121.21:n/a -> 65.xxx.xxx.xxx:n/a
References: none found

Then, my internal Snort logs show the following-

[**] [1:408:4] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
10/29-12:44:43.426212 0:3:B3:0:43:2A -> 0:20:78:CF:9:33 type:0x800 len:0x62
193.171.121.21 -> 10.xxx.xxx.xxx ICMP TTL:233 TOS:0x0 ID:33631 IpLen:20
DgmLen:84
Type:0  Code:0  ID:512  Seq:2048  ECHO REPLY

[**] [1:408:4] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
10/29-12:44:43.437976 0:3:B3:0:43:2A -> 0:20:78:CF:9:33 type:0x800 len:0x62
193.171.121.21 -> 10.xxx.xxx.xxx ICMP TTL:233 TOS:0x0 ID:33634 IpLen:20
DgmLen:84
Type:0  Code:0  ID:512  Seq:2816  ECHO REPLY

[**] [1:408:4] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
10/29-12:46:55.835954 0:3:B3:0:43:2A -> 0:20:78:CF:9:33 type:0x800 len:0x62
212.199.187.134 -> 10.xxx.xxx.xxx ICMP TTL:109 TOS:0x0 ID:12833 IpLen:20
DgmLen:84
Type:0  Code:0  ID:512  Seq:3072  ECHO REPLY


I did a Google search and came up with some Snortsnarf pages that contained
this IP with the same type of traffic. I realize that these are ping
replies, but what is pinging this site that is causing this? I am on a
switched network, so I am installing Ethereal on some of the machines to see
if they are generating the alerts.

Is anybody able to help a little on this?

Thank you.

Terry



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: