Snort mailing list archives
Re: ICMP messages
From: Neil Sandow <rxlist () rxlist com>
Date: Mon, 8 Sep 2003 10:46:43 -0700 (PDT)
On Mon, 8 Sep 2003, Matt Kettler wrote:
At 12:03 PM 9/5/2003 -0700, Neil Sandow wrote:Is this the result of a client (128.252.140.114) behind a firewall making an http request that the firewall (128.252.1.229 ?) does not allow? Thanks! -NeilNo, this is a result of a client (129.250.146.18) making a request http request to a "server" (128.252.140.114) that the firewall protecting the "server" (128.252.1.229) did not allow. You've got the right basics, but you're mis-identifying the client and the "server". (note: in this case I quoted "server" because your client is treating it as if it were a webserver, but the behavior of the firewall indicates that it's clearly not intended to be a webserver) The ICMP message itself is from the firewall, and sent to the originator of the communication that was blocked. The ICMP message also contains a short quotation of the headers of the offending packet, showing what was attempting to traverse the firewall that it refused.
But the very first packet in the series was: <snip> --------------------------------------------------------------------------- Packet 294372 TIME: 11:23:21.607182 (0.003618) LINK: 00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP IP: 128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48 id=D91D MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F TCP: port 1105 -> 80 seq=0013134530 ack=0000000000 hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0 DATA: <No data> --------------------------------------------------------------------------- indicating that 128.252.140.114 (port 1105) made a request to 129.250.146.18 (port 80) which was then ack'd and so on leading to the firewall ICMP messages. That's why I refer to 129.250.146.18 as the 'server' and 128.252.140.114 as the 'client'. This is wrong? -Neil ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: ICMP messages Neil Sandow (Sep 08)
- <Possible follow-ups>
- Re: ICMP messages Neil Sandow (Sep 08)