Snort mailing list archives
RE: exporting snort logs
From: "Joe Patterson" <jpatterson () asgardgroup com>
Date: Wed, 24 Nov 2004 11:17:58 -0500
IIRC, the "content" of ICMP unreachables (of which a "administratively prohibited" is a flavor) should be the header of the packet that triggered the unreachable message. You can either parse that manually, or (for the lazy among us - which would be me) capture a bunch of the icmp unreachables and look at them in ethereal, which will parse the included header for you.
From that you *should* be able to get a fairly good idea of what is being
denied. -Joe
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Endre Szekely-Bencedi Sent: Wednesday, November 24, 2004 4:12 AM To: snort-users () lists sourceforge net Cc: Andras Kalmar; Basselgia, Barry A Mr (NAF Atsugi) Subject: RE: [Snort-users] exporting snort logs Hi, thanks for the reply. The idea is that before contacting those people I should know why these machines are trying to pass that router. :) We are a consultancy company that provides services to another company and we have a subnet in their network (A class ntework). So it is a huge network. The whole problem is this I believe, why these machines are trying to contact it (what software does this, actually...). I know only tcpdump to figure this out and tried it but didn't manage to see anything understable. There is a lot of 'spam' (packets) for example to an exchange server on customer side (that is normal).. and some packets that had 'SMB' somewhere.. perhaps it is something that tries to access netbios shares there, and those infamous netbios ports are denied. Anyway I am not sure anyone can help me with this, I'll have to answer the questions myself. A hint on some tools / methods for identifying traffic would be more than welcome, if possible. Thanks for your patience, I'm a security noob who has some clues about security / networking, but that's all. :) Sorry for that. Greetings, Endre Szekely-Bencedi "Basselgia, Barry A Mr (NAF Atsugi)" To: "'Endre Szekely-Bencedi'" <Endre.Szekely-Bencedi () hu-tcs com>, <BABasselgia@atsugi snort-users () lists sourceforge net .navy.mil> cc: Andras Kalmar <Andras.Kalmar () hu-tcs com> Subject: RE: [Snort-users] exporting snort logs 11/24/2004 01:20 AM Can't help with the export thing. But, on your question regarding "communications administratively prohibited". This means the router that is sending the messages is configured to block your network/ip address. The only way to correct this would be to identify who the router(s) belongs to and contact them to find out why your being blocked. So, this isn't really a "False Alarm". And obviously, if you have 100,000 hits something on your network is trying to get through those routers. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Endre Szekely-Bencedi Sent: Tuesday, November 23, 2004 8:36 PM To: snort-users () lists sourceforge net Cc: Andras Kalmar Subject: [Snort-users] exporting snort logs ... Also, how you guys manage to identify false alarms? I am getting alerts for "communication administratively prohibited" or something like that from a few routers outside of our network for 19 IP addresses (8 machines) from our network - there are like 140 machines - and this is up to almost 100,000. I did not manage to determinde yet what is causing this huge amount of alerts... tcpdump looks pretty encrypted to me, didn't see anything interesting yet just lots of packets towards our proxy server and to some exchange server... Any hints on how to do this? Perhaps some tools ... ? ... Greetings, Endre "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE ADDRESSEE and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are notified that any dissemination, distribution or copy of this communication is strictly prohibited. If you have received this message by error, please notify us immediately, return the original mail to the sender and delete the message from your system." ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --------------------------------------------------------- This message has been scanned for viruses and dangerous content by the NAF Atsugi MailScanner. "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE ADDRESSEE and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are notified that any dissemination, distribution or copy of this communication is strictly prohibited. If you have received this message by error, please notify us immediately, return the original mail to the sender and delete the message from your system." ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- exporting snort logs Endre Szekely-Bencedi (Nov 23)
- <Possible follow-ups>
- RE: exporting snort logs Basselgia, Barry A Mr (NAF Atsugi) (Nov 23)
- RE: exporting snort logs Endre Szekely-Bencedi (Nov 24)
- RE: exporting snort logs Joe Patterson (Nov 24)