[Snort-users] Where or how to interpret this

shawn . moyer shawn at ...1184...
Sat Apr 7 19:37:42 EDT 2001

This will usually be a box sending a response packet back to a machine
on your net on a port that it doesn't like -- some IP stacks are
configured to use a specific range of ports for response packets
(generally something like 1024-32767), and if something responds to a
funky port the box will send an unreachable message.

This could also be someone attempting to connect to a service on a box
that doesn't exist, followed by the box's response back saying that port
isn't open. 

Generally it's a good practice to drop these messages at the firewall,
since they give more information back to a potential attacker than you
might want to send, i.e. even stating whether a service is unavailable
or not is giving out info "for free" about your network. Dropping these
can break some protocols, though, specifically active FTP.


"./" wrote:
> Right.  I've converted my snort log (snort -r ) and got this among other
> things.  I just want to know how (or where) I can interpret this:
> 04/07-19:33:15.831746 xx.xx.xx.xx -> yy.yy.yy.yy
> ICMP TTL:128 TOS:0x0 ID:58635 IpLen:20 DgmLen:56
> yy.yy.yy.yy:53 -> xx.xx.xx.xx:17418
> UDP TTL:239 TOS:0x0 ID:63931 IpLen:20 DgmLen:158
> Len: 138
> where xx = internal and yy = external.
> --
> "The circumstances of ones birth are irrelevant.
> It is what you do with the gift of life that
> determines who you are."  -- MewTwo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
                             -- Ted Turner

More information about the Snort-users mailing list