[Snort-users] Where or how to interpret this

Blake Frantz blake at ...319...
Mon Apr 9 10:54:07 EDT 2001


Just a small note:

ICMP unreachable packets are sent when UDP traffic is sent to a port with
no active service.

TCP RST packets are sent when TCP traffic is sent to a port with no active
service.

-Blake


On Sat, 7 Apr 2001, shawn . moyer wrote:

> 
> This will usually be a box sending a response packet back to a machine
> on your net on a port that it doesn't like -- some IP stacks are
> configured to use a specific range of ports for response packets
> (generally something like 1024-32767), and if something responds to a
> funky port the box will send an unreachable message.
> 
> This could also be someone attempting to connect to a service on a box
> that doesn't exist, followed by the box's response back saying that port
> isn't open. 
> 
> Generally it's a good practice to drop these messages at the firewall,
> since they give more information back to a potential attacker than you
> might want to send, i.e. even stating whether a service is unavailable
> or not is giving out info "for free" about your network. Dropping these
> can break some protocols, though, specifically active FTP.
> 
> 
> 
> --shawn
> 
> "./" wrote:
> > 
> > Right.  I've converted my snort log (snort -r ) and got this among other
> > things.  I just want to know how (or where) I can interpret this:
> > 
> > 04/07-19:33:15.831746 xx.xx.xx.xx -> yy.yy.yy.yy
> > ICMP TTL:128 TOS:0x0 ID:58635 IpLen:20 DgmLen:56
> > Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> > ** ORIGINAL DATAGRAM DUMP:
> > yy.yy.yy.yy:53 -> xx.xx.xx.xx:17418
> > UDP TTL:239 TOS:0x0 ID:63931 IpLen:20 DgmLen:158
> > Len: 138
> > ** END OF DUMP
> > 
> > where xx = internal and yy = external.
> > 
> > --
> > "The circumstances of ones birth are irrelevant.
> > It is what you do with the gift of life that
> > determines who you are."  -- MewTwo
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -- 
> 
> s h a w n   m o y e r
> shawn at ...1184...
> 
> "Nuclear war would really set back cable."
>                              -- Ted Turner
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list