[Snort-users] nmap TCP ping

Daniel van Balen vdaniel at ...191...
Mon Aug 28 03:01:46 EDT 2000


On Mon, Aug 28, 2000 at 11:12:34AM +0200, Jan Muenther wrote:
> 
> 
> > > [**] ICMP Destination Unreachable [**]
> > > 08/25-12:51:53.239562 xx.xxx.xxx.xxx -> 195.54.105.6
> > > ICMP TTL:64 TOS:0xC0 ID:4462
> > > DESTINATION UNREACHABLE: PORT UNREACHABLE
> > >
> > > [**] IDS028 - PING NMAP TCP [**]
> > > 08/25-12:51:53.245934 195.54.105.6:80 -> xx.xxx.xxx.xxx:2347
> > > TCP TTL:38 TOS:0x0 ID:10650
> > > ******A* Seq: 0x362   Ack: 0x0   Win: 0x578
> 
> on my local net trying to send UDP packets to diverse hosts... I
> hope it's not you-know-what...
> 

	I wouldn't know but the "port unreachable" response hopefully means
they didn't find anything. BTW if I remember correctly the body of the icmp
packet should have the udp packet that triggerd it.

> >         I guess because some firewalls would see it as web trafic and let
> > it through... see the "-g" option in the nmap man page. 
> 
> The first packet? Why should any ICMP traffic be interpreted as
> web traffic?
> 

	I was talking about the second packet...

> The second packet
> > looks like part of a ACK scan from nmap 2.53 (and probably previous
> > versions) but you should see a lot more packets (and snort alerts) like it
> > to diferent ports, unless the atacker (supposing you are under atack) is
> > only interested in port 2347 TCP. I don't know anything interesting that
> > listens on that port by default...
> 
> Well, neither do I... btw, it seems to be the only one, so I
> would tend to interpret it as a stray packet... don't you...?

	Having no more evidence I would guess so...

-spiff



More information about the Snort-users mailing list