[Snort-users] Questions about ICMP traffic that snort doesn't like

Joe McAlerney joey at ...155...
Wed Oct 4 21:07:12 EDT 2000


Scott Vieth wrote:
> 
> Hi:
> 
> I've got my snort-station listening outside our firewall.  I noticed that the /var/log/secure log is filling up with
> quite a few entries that relate to ICMP traffic.  It looks like this:
> 
> Oct  4 13:57:33 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.30 -> xxx.xxx.xxx.xxx
> Oct  4 13:57:35 localhost snort[770]: PING-ICMP Destination Unreachable: 169.207.111.71 -> xxx.xxx.xxx.xxx
> Oct  4 13:59:06 localhost snort[770]: PING-ICMP Destination Unreachable: 206.65.189.26 -> xxx.xxx.xxx.xxx
> Oct  4 13:59:29 localhost snort[770]: PING-ICMP Destination Unreachable: 206.65.189.26 -> xxx.xxx.xxx.xxx
> Oct  4 13:59:55 localhost snort[770]: PING-ICMP Destination Unreachable: 137.39.23.250 -> xxx.xxx.xxx.xxx
> Oct  4 14:00:50 localhost snort[770]: PING-ICMP Destination Unreachable: 203.181.106.21 -> xxx.xxx.xxx.xxx
> Oct  4 14:00:53 localhost last message repeated 4 times
> Oct  4 14:01:38 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.29 -> xxx.xxx.xxx.xxx
> Oct  4 14:01:43 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.28 -> xxx.xxx.xxx.xxx
> Oct  4 14:04:17 localhost snort[770]: PING-ICMP Destination Unreachable: 192.168.63.37 -> xxx.xxx.xxx.xxx
> Oct  4 14:04:17 localhost snort[770]: PING-ICMP Destination Unreachable: 192.168.63.37 -> xxx.xxx.xxx.xxx
> Oct  4 14:04:46 localhost snort[770]: IDS246 - MISC - Large ICMP Packet: 192.168.27.27 -> xxx.xxx.xxx.xxx
> Oct  4 14:10:25 localhost snort[770]: PING-ICMP Destination Unreachable: 203.181.106.21 -> xxx.xxx.xxx.xxx
> Oct  4 14:10:28 localhost last message repeated 2 times
> Oct  4 14:10:35 localhost snort[770]: PING-ICMP Destination Unreachable: 192.168.63.37 -> xxx.xxx.xxx.xxx
> Oct  4 14:10:38 localhost last message repeated 4 times
> Oct  4 14:11:51 localhost snort[770]: PING-ICMP Destination Unreachable: 216.17.36.19 -> xxx.xxx.xxx.xxx
> 
> When I look at one of the directories where I'm logging the traffic, I see this:
> 
> [**] PING-ICMP Destination Unreachable [**]
> 10/04-14:04:17.769976 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
> 192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:56730  DF
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 00 00 00 00 45 00 00 51 4D 0D 40 00 F4 11 51 99  ....E..QM. at ...567...
> CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 29 00 00  ......?%.5.5.)..
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] PING-ICMP Destination Unreachable [**]
> 10/04-14:04:17.770280 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
> 192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:56732  DF
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 00 00 00 00 45 00 00 59 4D 0E 40 00 F4 11 51 90  ....E..YM. at ...567...
> CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 31 00 00  ......?%.5.5.1..
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] PING-ICMP Destination Unreachable [**]
> 10/04-14:10:35.324429 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
> 192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:20438  DF
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 00 00 00 00 45 00 00 56 0F E5 40 00 F4 11 8E BC  ....E..V.. at ...568...
> CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] PING-ICMP Destination Unreachable [**]
> 10/04-14:10:35.917362 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
> 192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:21639  DF
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 00 00 00 00 45 00 00 56 0F E6 40 00 F4 11 8E BB  ....E..V.. at ...568...
> CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] PING-ICMP Destination Unreachable [**]
> 10/04-14:10:36.552060 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
> 192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:23165  DF
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 00 00 00 00 45 00 00 56 0F E7 40 00 F4 11 8E BA  ....E..V.. at ...568...
> CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] PING-ICMP Destination Unreachable [**]
> 10/04-14:10:38.537898 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
> 192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:27533  DF
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 00 00 00 00 45 00 00 56 0F E8 40 00 F4 11 8E B9  ....E..V.. at ...568...
> CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] PING-ICMP Destination Unreachable [**]
> 10/04-14:10:38.538168 0:0:C:3E:A2:3E -> 0:A0:C9:EA:D0:D8 type:0x800 len:0x46
> 192.168.63.37 -> xxx.xxx.xxx.xxx ICMP TTL:243 TOS:0x0 ID:27536  DF
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 00 00 00 00 45 00 00 56 0F E9 40 00 F4 11 8E B8  ....E..V.. at ...568...
> CF AA 18 91 C0 A8 3F 25 00 35 00 35 00 2E 00 00  ......?%.5.5....
                             ^     ^
                             |     |
                        sport 53  dport 53

> Q1) Why is snort logging messages in /var/log/secure about this traffic?
> Is it dangerous in some way?

Maybe I'm missing something, but this doesn't seem to make sense.  It
looks like your IDS is inside your firewall, picking up on a Destination
Unreachable packet being sent back out as a result of a UDP scan/UDP
probes.  It looks like the destination unreachable messages were sent
from your machine as a result of a host trying to reach a closed port. 
In this case, the destination (and source) port was 53, indicated by the
arrows above.  It _might_ be a UDP scan that got through your firewall. 
See http://www.robertgraham.com/pubs/firewall-seen.html for more on
that.  So Destination Unreachable alerts are handy to keep around for
things like this - especially when the scan is slow or small enough to
evade the portscan preprocessor.  

But then again, you x'ed out the destination host, so I guess that's one
of your machines.  If your IDS is inside your firewall, that would
indicate that some machine on your network is sending port 53 probes to
the machine at that internal address, looking for a DNS.

But perhaps you are right - your IDS is sitting outside your firewall. 
In that case, something even stranger is going on, because 192.168.63.37
is a reserved address, and shouldn't be routable.  In other words, it
probably isn't replying to a port 53 probe from one of your internal
hosts, and is spoofed.  I'm not sure why someone would want to send such
a crafted packet unless they are trying to clog your pipe - it still
seems unlikely.  It's much more likely that there's some sort of network
misconfiguration.

I'm sure someone will set me straight if I have left anything out.

> Q2) Do people really have nothing better to do than to sit and ping my internet
> hosts all day?

Sadly, no.

-Joe M.



More information about the Snort-users mailing list