[Snort-users] Questions about ICMP traffic that snort doesn't like

Scott Vieth SVIETH at ...566...
Wed Oct 4 15:26:44 EDT 2000


Hi:

I've got my snort-station listening outside our firewall.  I noticed that the /var/log/secure log is filling up with 
quite a few entries that relate to ICMP traffic.  It looks like this:

Oct  4 13:57:33 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.30 -> xxx.xxx.xxx.xxx
Oct  4 13:57:35 localhost snort[770]: PING-ICMP Destination Unreachable: 169.207.111.71 -> xxx.xxx.xxx.xxx
Oct  4 13:59:06 localhost snort[770]: PING-ICMP Destination Unreachable: 206.65.189.26 -> xxx.xxx.xxx.xxx
Oct  4 13:59:29 localhost snort[770]: PING-ICMP Destination Unreachable: 206.65.189.26 -> xxx.xxx.xxx.xxx
Oct  4 13:59:55 localhost snort[770]: PING-ICMP Destination Unreachable: 137.39.23.250 -> xxx.xxx.xxx.xxx
Oct  4 14:00:50 localhost snort[770]: PING-ICMP Destination Unreachable: 203.181.106.21 -> xxx.xxx.xxx.xxx
Oct  4 14:00:53 localhost last message repeated 4 times
Oct  4 14:01:38 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.29 -> xxx.xxx.xxx.xxx
Oct  4 14:01:43 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.28 -> xxx.xxx.xxx.xxx
Oct  4 14:04:17 localhost snort[770]: PING-ICMP Destination Unreachable: 192.168.63.37 -> xxx.xxx.xxx.xxx
Oct  4 14:04:17 localhost snort[770]: PING-ICMP Destination Unreachable: 192.168.63.37 -> xxx.xxx.xxx.xxx
Oct  4 14:04:46 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.27 -> xxx.xxx.xxx.xxx
Oct  4 14:10:25 localhost snort[770]: PING-ICMP Destination Unreachable: 203.181.106.21 -> xxx.xxx.xxx.xxx
Oct  4 14:10:28 localhost last message repeated 2 times
Oct  4 14:10:35 localhost snort[770]: PING-ICMP Destination Unreachable: 192.168.63.37 -> xxx.xxx.xxx.xxx
Oct  4 14:10:38 localhost last message repeated 4 times
Oct  4 14:11:51 localhost snort[770]: PING-ICMP Destination Unreachable: 216.17.36.19 -> xxx.xxx.xxx.xxx


When I look at one of the directories where I'm logging the traffic, I see this:

[**] PING-ICMP Destination Unreachable [**]
10/04-14:04:17.769976 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:56730  DF
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 51 4D 0D 40 00 F4 11 51 99  ....E..QM. at ...567...
CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 29 00 00  ......?%.5.5.)..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] PING-ICMP Destination Unreachable [**]
10/04-14:04:17.770280 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:56732  DF
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 59 4D 0E 40 00 F4 11 51 90  ....E..YM. at ...567...
CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 31 00 00  ......?%.5.5.1..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] PING-ICMP Destination Unreachable [**]
10/04-14:10:35.324429 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:20438  DF
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 56 0F E5 40 00 F4 11 8E BC  ....E..V.. at ...568...
CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] PING-ICMP Destination Unreachable [**]
10/04-14:10:35.917362 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:21639  DF
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 56 0F E6 40 00 F4 11 8E BB  ....E..V.. at ...568...
CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] PING-ICMP Destination Unreachable [**]
10/04-14:10:36.552060 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:23165  DF
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 56 0F E7 40 00 F4 11 8E BA  ....E..V.. at ...568...
CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] PING-ICMP Destination Unreachable [**]
10/04-14:10:38.537898 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:27533  DF
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 56 0F E8 40 00 F4 11 8E B9  ....E..V.. at ...568...
CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] PING-ICMP Destination Unreachable [**]
10/04-14:10:38.538168 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:27536  DF
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 56 0F E9 40 00 F4 11 8E B8  ....E..V.. at ...568...
CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Q1) Why is snort logging messages in /var/log/secure about this traffic?
Is it dangerous in some way?

Q2) Do people really have nothing better to do than to sit and ping my internet
hosts all day?

Thanks in advance.

-Scott Vieth :^)



More information about the Snort-users mailing list