[Snort-devel] ICMP port unreachable responce gives invalid port number

Pavel Gushchinsky gpb at ...977...
Mon Nov 26 06:24:02 EST 2001


Hi Colleagues,

This is a fragment of tcpdump log of snort responces:

/usr/sbin/tcpdump -n -i eth0 ether src 0:C0:26:64:30:5A | grep -v
'195.216.160.231'

16:03:39.718510 195.216.191.129.80 > 195.174.103.44.4524: R
3545403929:3545403929(0) ack 99333783 win 0
16:03:39.718788 195.174.103.44.4524 > 195.216.191.129.80: R
4294967225:4294967225(0) ack 72 win 0
16:03:39.718905 195.216.191.129 > 195.174.103.44: icmp: net 195.216.191.129
unreachable [tos 0xf4]
16:03:39.719011 195.216.191.129 > 195.174.103.44: icmp: host 195.216.191.129
unreachable [tos 0xf4]
16:03:39.719110 195.216.191.129 > 195.174.103.44: icmp: 195.216.191.129 tcp port
21536 unreachable [tos 0xf4]

16:03:46.677087 195.216.191.129.80 > 195.174.103.44.4659: R
3549569456:3549569456(0) ack 107667790 win 0
16:03:46.768731 195.174.103.44.4659 > 195.216.191.129.80: R
4294967217:4294967217(0) ack 80 win 0
16:03:46.768930 195.216.191.129 > 195.174.103.44: icmp: net 195.216.191.129
unreachable [tos 0xf4]
16:03:46.769042 195.216.191.129 > 195.174.103.44: icmp: host 195.216.191.129
unreachable [tos 0xf4]
16:03:46.769139 195.216.191.129 > 195.174.103.44: icmp: 195.216.191.129 tcp port
21536 unreachable [tos 0xf4]

16:03:53.884728 195.216.191.129.80 > 195.174.103.44.4786: R
3563406544:3563406544(0) ack 115364628 win 0
16:03:53.934355 195.174.103.44.4786 > 195.216.191.129.80: R
4294967203:4294967203(0) ack 94 win 0
16:03:53.934534 195.216.191.129 > 195.174.103.44: icmp: net 195.216.191.129
unreachable [tos 0xf4]
16:03:53.934649 195.216.191.129 > 195.174.103.44: icmp: host 195.216.191.129
unreachable [tos 0xf4]
16:03:53.934760 195.216.191.129 > 195.174.103.44: icmp: 195.216.191.129 tcp port
21536 unreachable [tos 0xf4]

16:04:06.539524 195.216.191.129.80 > 195.174.103.44.3024: R
3565503705:3565503705(0) ack 129598758 win 0
16:04:06.612463 195.174.103.44.3024 > 195.216.191.129.80: R
4294967170:4294967170(0) ack 127 win 0
16:04:06.612655 195.216.191.129 > 195.174.103.44: icmp: net 195.216.191.129
unreachable [tos 0xf4]
16:04:06.612764 195.216.191.129 > 195.174.103.44: icmp: host 195.216.191.129
unreachable [tos 0xf4]
16:04:06.612873 195.216.191.129 > 195.174.103.44: icmp: 195.216.191.129 tcp port
21536 unreachable [tos 0xf4]

16:04:08.521987 195.216.191.129.80 > 195.174.103.44.3056: R
3568521654:3568521654(0) ack 131722472 win 0
16:04:08.522174 195.174.103.44.3056 > 195.216.191.129.80: R
4294967204:4294967204(0) ack 93 win 0
16:04:08.522285 195.216.191.129 > 195.174.103.44: icmp: net 195.216.191.129
unreachable [tos 0xf4]
16:04:08.522392 195.216.191.129 > 195.174.103.44: icmp: host 195.216.191.129
unreachable [tos 0xf4]
16:04:08.522491 195.216.191.129 > 195.174.103.44: icmp: 195.216.191.129 tcp port
21536 unreachable [tos 0xf4]

16:04:15.080065 195.216.191.129.80 > 195.174.103.44.3189: R
3580858758:3580858758(0) ack 139429468 win 0
16:04:15.171006 195.174.103.44.3189 > 195.216.191.129.80: R
4294967204:4294967204(0) ack 93 win 0
16:04:15.171224 195.216.191.129 > 195.174.103.44: icmp: net 195.216.191.129
unreachable [tos 0xf4]
16:04:15.171343 195.216.191.129 > 195.174.103.44: icmp: host 195.216.191.129
unreachable [tos 0xf4]
16:04:15.171447 195.216.191.129 > 195.174.103.44: icmp: 195.216.191.129 tcp port
21536 unreachable [tos 0xf4]

16:04:26.558027 195.216.191.129.80 > 195.174.103.44.3401: R
3589632495:3589632495(0) ack 152168263 win 0
16:04:26.645464 195.174.103.44.3401 > 195.216.191.129.80: R
4294967203:4294967203(0) ack 94 win 0
16:04:26.645640 195.216.191.129 > 195.174.103.44: icmp: net 195.216.191.129
unreachable [tos 0xf4]
16:04:26.645753 195.216.191.129 > 195.174.103.44: icmp: host 195.216.191.129
unreachable [tos 0xf4]
16:04:26.645852 195.216.191.129 > 195.174.103.44: icmp: 195.216.191.129 tcp port
21536 unreachable [tos 0xf4]

The problem is that in icmp port unreachable responces the port number is always
21536. In this case must be 80.

Pavel Gushchinsky,

JUNIK Technical Manager (gpb at ...977...)
Transport and Telecommunication Institute Major IT Specialist (gpb at ...978...)

ICQ: 1117567 (work), 92114619 (home)
Phone: +371-7100509, Mob. +371-6469022, Fax: +371-7100510
http://www.junik.lv
http://www.tsi.lv



______________________________________
Scanned and protected by Inflex
http://pldaniels.com/inflex





More information about the Snort-devel mailing list