[Snort-users] ICMP Redirect Attack

Bob Van Cleef vancleef at ...211...
Fri Apr 6 16:34:56 EDT 2001


How do you read an ICMP redirect alert? I got a bunch of these... but
looking at the dumps left me sort of confused. ( A not untypical state. :)

[**] IDS135/icmp-redirect_host [**]
04/05-22:14:29.448113 212.223.69.17 -> 192.86.6.23
ICMP TTL:244 TOS:0xC0 ID:43421 IpLen:20 DgmLen:179
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 83 A9 48 00 00 31 06 FF C5  ..E.E....H..1...
C0 56 06 17 D4 DF 45 1A 00 19 12 DB 21 EE 86 01  .V....E.....!...
CF 5B 1A ED 50 18 10 00 A5 A3 00 00 32 32 30 20  .[..P.......220
6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
2E 63 6F 6D 20 45 53 4D 54 50 20 53 65 6E 64 6D  .com ESMTP Sendm
61 69 6C 20 38 2E 38 2E 38 2F 38 2E 38 2E 38 3B  ail 8.8.8/8.8.8;
20 54 68 75 2C 20 35 20 41 70 72 20 32 30 30 31   Thu, 5 Apr 2001
20 32 32 3A 31 37 3A 35 39 20 2D 30 37 30 30 20   22:17:59 -0700
28 50 44 54 29 0D 0A 01 51 80 00 01 00 02 A3 00  (PDT)...Q.......
00 04 CE 0E 01 00 00 00 00 01 00                 ...........


192.86.6.23 is metis.microunity.com, a mail server.  The contents
of this packet looks like something I would expect to be coming
from metis, not being sent to metis.

There were 13 alerts, the contents were all different, yet most
looked like something metis would be sending out... but not exactly.

[**] IDS135/icmp-redirect_host [**]
04/05-16:47:53.006829 212.223.69.17 -> 192.86.6.23
ICMP TTL:244 TOS:0xC0 ID:55381 IpLen:20 DgmLen:157
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 6D 0C 5B 00 00 31 06 9C C9  ..E.E..m.[..1...
C0 56 06 17 D4 DF 45 1A 00 19 05 F1 01 C0 3E 5C  .V....E.......>\
FD 84 55 85 50 18 10 00 F6 3D 00 00 32 35 30 20  ..U.P....=..250
6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
2E 63 6F 6D 20 48 65 6C 6C 6F 20 5B 32 31 32 2E  .com Hello [212.
32 32 33 2E 36 39 2E 32 36 5D 2C 20 70 6C 65 61  223.69.26], plea
73 65 64 20 74 6F 20 6D 65 65 74 20 79 6F 75 0D  sed to meet you.
0A 31 36 3A 01 00 00 00 31 20 2D 30 37 30 30 20  .16:....1 -0700
28 50 44 54 29                                   (PDT)

If metis was talking to 212.223.69.17, why would it think it was
talking to 212.223.69.26?

Bob
><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
376 Martin Ave., Santa Clara, CA 95050  vancleef at ...211...





More information about the Snort-users mailing list