[Snort-users] snortnet???

Dave Keener dkeener at ...376...
Thu Aug 24 14:02:50 EDT 2000


Has anyone had any luck getting snortnet to work?  I am trying to log alerts
to a central server but am having a difficult time understanding how to get
snortnet to work.  I understand the basics of how it works.  Just can't
figure out how to configure it with snort.

Dave

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andreas
Maus
Sent: Thursday, August 24, 2000 1:08 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Re: rules and paranoia?!?


Dragos Ruiu wrote:
>
> Hi there Marty, forwarded your mail.
> I've taken the liberty of removing your address from the list reply
> in case you want to be anonymous about the potential attack.
>
> You wrote:
> > Heya,
> > I have been running snort for some days on my 2.7 obsd box.
> > Now today i got about 30 new IP dirs in my log area which means attacks.
> > But the files under them look like ICMP_PORT_UNRCH,  ICMP_TTL_EXCEED,
> > ICMP_HST_UNRCH, ICMP_TTL_EXCEED,
> > I dont know what those means i cant see if it some ports or which
attacks
> > they do.
> > Also at precisly 14:10 today i got about 26 ips all saying
ICMP_TTL_EXCEED
> > at the precis TIME!?
> > Could there be something wrong?
> > Do you have a list of what all that means?
>
> ICMP TTL exceeded means that the TTL of the packet (which is decremented)
> at every hop has reached zero and that node tossed your packet.
> The unreachable messages are sent back by hosts when you
> try to access addresses or ports that are not accessible.
>
> This could indeed be a test of an attack to do smething like DDoS you
> with ICMP messages....  multiple synchronized packets from multiple IPs
> would point to a bunch of DDoS clients acting synchronously.
>
> But paranoia is always a problem with IDS... it could also be an app
> locally on your side that sprayed a whole bunch of IPs with some bogus
> traffic and got back ICMP message from all of them when their stacks
> timed out at the same time (this would imply that all those IPs run the
> same OS).
>
> My recommendation: take two aspirin, be a little more careful in case
> someone is testing your perimeter, and check your logs again tomorrow
> morning. If you have really sensitive stuff to protect, maybe log all
packets
> for a couple of days and spend a little time looking for strange stuff.
>
> A few errant ICMP messages is not something to start calling the admins of
> those sites over yet. Though some err... more tightly wound sysadmins
> seem to jump and send you nastygrams for even little stuff like this, I
would
> perceive this as overreaction....
>
> But I usually take a portscan and stuff like this as permission to
portscan
> back. :-)
>
> cheers,
> --dr
>
>  --
> dursec.com ltd. / kyx.net - we're from the future
> pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D
> pgp key: http://www.dursec.com/drkey.asc
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

The ICMP_TTL_EXCEEDED and the ICMP_PORT_UNRCH messages may be caused by
the
traceroute program running from your internal network.
Traceroute sends UDP packets to the destination host starting with a TTL
of 1.
The next router decrements the TTL and sends back an ICMP_TTL_EXCEEDED
to the sender.
Trace route sends the next packet with a TTL of 2, which has been
decreases by the first router
(to 1) and the second router to 0 and the second router sends back again
a ICMP_TTL_EXCEEDED.
And so on...If the UDP reaches the destination the destination host
sends back an ICMP_PORT_UNRCH
error, because traceroute sets the destination port of the UDP datagram
a very high value (usually
larger than 30000). Usually there is no user process on this port on the
destination host, so an
ICMP_PORT_UNRCH error is generated and send to the sender. Tracroute use
this ICMP_PORT_UNRCH to
determine, that the packet has reached its final destination. So you may
check (if you can) the
destination port of the UDP datagram encapsulated in the ICMP error
messages.

A more detailed information about the traceroute program can be found at
http://www.crosswinds.net/~hyena2k/ or (sometimes crosswinds.net seems
to be down) the mirror at
http://www.sedativa.f2s.com

Hope that helps...Andreas.

--
@---------------------------------------------@
|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |
@---------------------------------------------@
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list