[Snort-users] nmap TCP ping

Jan Muenther jan at ...206...
Mon Aug 28 05:12:34 EDT 2000


Hi Daniel,
thanks for your reply.

> > [**] ICMP Destination Unreachable [**]
> > 08/25-12:51:53.239562 xx.xxx.xxx.xxx -> 195.54.105.6
> > ICMP TTL:64 TOS:0xC0 ID:4462
> > DESTINATION UNREACHABLE: PORT UNREACHABLE
> >
> > [**] IDS028 - PING NMAP TCP [**]
> > 08/25-12:51:53.245934 195.54.105.6:80 -> xx.xxx.xxx.xxx:2347
> > TCP TTL:38 TOS:0x0 ID:10650
> > ******A* Seq: 0x362   Ack: 0x0   Win: 0x578


>         Well... not exactly. The first packet (icmp port unreachable) is
> usualy a response to a udp packet to a non-open port. The default nmap ping
> is a "icmp echo request" followed by a tcp ack to port 80.

Right, that's what it looked like. I DO get these types of alerts
quite often - which troubles me, since I can't think of anything
on my local net trying to send UDP packets to diverse hosts... I
hope it's not you-know-what...

>         I guess because some firewalls would see it as web trafic and let
> it through... see the "-g" option in the nmap man page. 

The first packet? Why should any ICMP traffic be interpreted as
web traffic?

The second packet
> looks like part of a ACK scan from nmap 2.53 (and probably previous
> versions) but you should see a lot more packets (and snort alerts) like it
> to diferent ports, unless the atacker (supposing you are under atack) is
> only interested in port 2347 TCP. I don't know anything interesting that
> listens on that port by default...

Well, neither do I... btw, it seems to be the only one, so I
would tend to interpret it as a stray packet... don't you...?
-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...



More information about the Snort-users mailing list