[Snort-users] ICMP from many hosts.

Robert Buckley ipchains at ...549...
Thu Oct 12 15:02:17 EDT 2000

Thank you for your responses,

Instead of spamming snort-users list Ill post the output from a
 grep -r "10:24" /var/log/snort/ at

My scenario is simple, Im running FreeBSD over cable on the optonline.net network,
I do run IPFIREWALL and icmp is limited in such that I allow reponses but dont accept
That way I can ping you, but you cant ping me sort of thing. I do allow some UDP
traffic when its required for traceroute.
The grep statement above is grepping for the exact time of 10:24 EST in the snort logs,
but some similiar stuff was recorded earlier at 8:20 EST.
If you would like to glance at a
        snort -d -D -c 07272kany.rules
        snort -d -D -c 07272kbackdoor.rules

The log will be there for 24 hours,

Thanx Again,

Max Vision wrote:

> On Thu, Oct 12, 2000 at 07:03:24AM -0400, Robert Buckley wrote:
> > I was hit by an ICMP by many hosts last night, I would guess there were
> > at least 15-20.
> > Did anyone have the same experience? It looked like some type of
> > coordinated icmp attack, but I block most ICMP and the attempt was
> > stopped as the message was UNREACH. All hosts hit me at 10:34 EST.
> > Something else curious too was that there was
> > a private address inlcuded in that - >  ?????
> > Any comments?
> >
> If you forward some of the packets, especially the port unreach icmp messages, then
> we could probably help you out with the decodes.  Since unreach packets are a
> response, it may be that these hosts believe that your machine(s) tried to connect
> to them in some way.  Either your machine(s) did make contact, or someone is
> spoofing your address possibly in a decoy scan.  Another possibility is that the
> unreach messages themselves are false. Packet traces might clear this up :)
> Max Vision
> http://whitehats.com/

More information about the Snort-users mailing list