[Snort-users] Re: rules and paranoia?!?

Dragos Ruiu dr at ...50...
Wed Aug 23 15:25:10 EDT 2000


Hi there Marty, forwarded your mail.
I've taken the liberty of removing your address from the list reply
in case you want to be anonymous about the potential attack.

You wrote:
> Heya,
> I have been running snort for some days on my 2.7 obsd box.
> Now today i got about 30 new IP dirs in my log area which means attacks.
> But the files under them look like ICMP_PORT_UNRCH,  ICMP_TTL_EXCEED,
> ICMP_HST_UNRCH, ICMP_TTL_EXCEED, 
> I dont know what those means i cant see if it some ports or which attacks 
> they do.
> Also at precisly 14:10 today i got about 26 ips all saying ICMP_TTL_EXCEED 
> at the precis TIME!?
> Could there be something wrong?
> Do you have a list of what all that means?

ICMP TTL exceeded means that the TTL of the packet (which is decremented)
at every hop has reached zero and that node tossed your packet.
The unreachable messages are sent back by hosts when you
try to access addresses or ports that are not accessible.

This could indeed be a test of an attack to do smething like DDoS you
with ICMP messages....  multiple synchronized packets from multiple IPs
would point to a bunch of DDoS clients acting synchronously.

But paranoia is always a problem with IDS... it could also be an app
locally on your side that sprayed a whole bunch of IPs with some bogus
traffic and got back ICMP message from all of them when their stacks
timed out at the same time (this would imply that all those IPs run the 
same OS).

My recommendation: take two aspirin, be a little more careful in case 
someone is testing your perimeter, and check your logs again tomorrow
morning. If you have really sensitive stuff to protect, maybe log all packets
for a couple of days and spend a little time looking for strange stuff.

A few errant ICMP messages is not something to start calling the admins of
those sites over yet. Though some err... more tightly wound sysadmins
seem to jump and send you nastygrams for even little stuff like this, I would
perceive this as overreaction....

But I usually take a portscan and stuff like this as permission to portscan
back. :-)

cheers,
--dr


 -- 
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D 
pgp key: http://www.dursec.com/drkey.asc



More information about the Snort-users mailing list