[Snort-users] ICMP from many hosts.
ipchains at ...549...
Thu Oct 12 15:02:17 EDT 2000
Thank you for your responses,
Instead of spamming snort-users list Ill post the output from a
grep -r "10:24" /var/log/snort/ at http://22.214.171.124/snort/snortlog-10-10-1024
My scenario is simple, Im running FreeBSD over cable on the optonline.net network,
I do run IPFIREWALL and icmp is limited in such that I allow reponses but dont accept
That way I can ping you, but you cant ping me sort of thing. I do allow some UDP
traffic when its required for traceroute.
The grep statement above is grepping for the exact time of 10:24 EST in the snort logs,
but some similiar stuff was recorded earlier at 8:20 EST.
If you would like to glance at a
snort -d -D -c 07272kany.rules
snort -d -D -c 07272kbackdoor.rules
The log will be there for 24 hours,
Max Vision wrote:
> On Thu, Oct 12, 2000 at 07:03:24AM -0400, Robert Buckley wrote:
> > I was hit by an ICMP by many hosts last night, I would guess there were
> > at least 15-20.
> > Did anyone have the same experience? It looked like some type of
> > coordinated icmp attack, but I block most ICMP and the attempt was
> > stopped as the message was UNREACH. All hosts hit me at 10:34 EST.
> > Something else curious too was that there was
> > a private address inlcuded in that - > 10.10.232.1 ?????
> > Any comments?
> If you forward some of the packets, especially the port unreach icmp messages, then
> we could probably help you out with the decodes. Since unreach packets are a
> response, it may be that these hosts believe that your machine(s) tried to connect
> to them in some way. Either your machine(s) did make contact, or someone is
> spoofing your address possibly in a decoy scan. Another possibility is that the
> unreach messages themselves are false. Packet traces might clear this up :)
> Max Vision
More information about the Snort-users