Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP messages

From: Neil Sandow <rxlist () rxlist com>
Date: Mon, 8 Sep 2003 10:46:43 -0700 (PDT)

On Mon, 8 Sep 2003, Matt Kettler wrote:


At 12:03 PM 9/5/2003 -0700, Neil Sandow wrote:


Is this the result of a client (128.252.140.114) behind a firewall making
an http request that the firewall (128.252.1.229 ?) does not allow?

Thanks! -Neil


No, this is a result of a client (129.250.146.18) making a request http
request to a "server" (128.252.140.114) that the firewall protecting the
"server" (128.252.1.229) did not allow.

You've got the right basics, but you're mis-identifying the client and the
"server".

(note: in this case I quoted "server" because your client is treating it as
if it were a webserver, but the behavior of the firewall indicates that
it's clearly not intended to be a webserver)


The ICMP message itself is from the firewall, and sent to the originator of
the communication that was blocked. The ICMP message also contains a short
quotation of the headers of the offending packet, showing what was
attempting to traverse the firewall that it refused.



But the very first packet in the series was:

<snip>
---------------------------------------------------------------------------
Packet 294372
TIME:   11:23:21.607182 (0.003618)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48
id=D91D
        MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F
 TCP:   port 1105 -> 80 seq=0013134530 ack=0000000000
        hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA:   <No data>
---------------------------------------------------------------------------

indicating that 128.252.140.114 (port 1105) made a request to
129.250.146.18 (port 80) which was then ack'd and so on leading to the
firewall ICMP messages.  That's why I refer to 129.250.146.18 as the
'server' and 128.252.140.114 as the 'client'.   This is wrong?

-Neil



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: