[Snort-users] Where or how to interpret this
dotslash at ...1760...
Sun Apr 8 13:01:32 EDT 2001
However, in future "attacks" like this how can I tell by myself of such
activity? Is there a website to learn this from or a book from Amazon
(could also be on my wishlist :-) ?
----- Original Message -----
From: "shawn . moyer" <shawn at ...1184...>
To: "./" <dotslash at ...1760...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Sunday, April 08, 2001 3:37 AM
Subject: Re: [Snort-users] Where or how to interpret this
> This will usually be a box sending a response packet back to a machine
> on your net on a port that it doesn't like -- some IP stacks are
> configured to use a specific range of ports for response packets
> (generally something like 1024-32767), and if something responds to a
> funky port the box will send an unreachable message.
> This could also be someone attempting to connect to a service on a box
> that doesn't exist, followed by the box's response back saying that port
> isn't open.
> Generally it's a good practice to drop these messages at the firewall,
> since they give more information back to a potential attacker than you
> might want to send, i.e. even stating whether a service is unavailable
> or not is giving out info "for free" about your network. Dropping these
> can break some protocols, though, specifically active FTP.
> "./" wrote:
> > Right. I've converted my snort log (snort -r ) and got this among other
> > things. I just want to know how (or where) I can interpret this:
> > 04/07-19:33:15.831746 xx.xx.xx.xx -> yy.yy.yy.yy
> > ICMP TTL:128 TOS:0x0 ID:58635 IpLen:20 DgmLen:56
> > Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
> > ** ORIGINAL DATAGRAM DUMP:
> > yy.yy.yy.yy:53 -> xx.xx.xx.xx:17418
> > UDP TTL:239 TOS:0x0 ID:63931 IpLen:20 DgmLen:158
> > Len: 138
> > ** END OF DUMP
> > where xx = internal and yy = external.
> > --
> > "The circumstances of ones birth are irrelevant.
> > It is what you do with the gift of life that
> > determines who you are." -- MewTwo
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> s h a w n m o y e r
> shawn at ...1184...
> "Nuclear war would really set back cable."
> -- Ted Turner
More information about the Snort-users