[Snort-users] Where or how to interpret this

Blake Frantz blake at ...319...
Mon Apr 9 12:02:54 EDT 2001


I recommend http://project.honeynet.org/
	    http://www.whitehats.com 	

and...
	TCP/IP Illustrated Volume 1 : The Protocols
	W. Richard Stevens
	ISBN 0-201-633469

Blake

On Sun, 8 Apr 2001, ./ wrote:

> Very interesting.
> 
> However, in future "attacks" like this how can I tell by myself of such
> activity?  Is there a website to learn this from or a book from Amazon
> (could also be on my wishlist :-) ?
> 
> 
> 
> ----- Original Message -----
> From: "shawn . moyer" <shawn at ...1184...>
> To: "./" <dotslash at ...1760...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Sunday, April 08, 2001 3:37 AM
> Subject: Re: [Snort-users] Where or how to interpret this
> 
> 
> >
> > This will usually be a box sending a response packet back to a machine
> > on your net on a port that it doesn't like -- some IP stacks are
> > configured to use a specific range of ports for response packets
> > (generally something like 1024-32767), and if something responds to a
> > funky port the box will send an unreachable message.
> >
> > This could also be someone attempting to connect to a service on a box
> > that doesn't exist, followed by the box's response back saying that port
> > isn't open.
> >
> > Generally it's a good practice to drop these messages at the firewall,
> > since they give more information back to a potential attacker than you
> > might want to send, i.e. even stating whether a service is unavailable
> > or not is giving out info "for free" about your network. Dropping these
> > can break some protocols, though, specifically active FTP.
> >
> >
> >
> > --shawn
> >
> > "./" wrote:
> > >
> > > Right.  I've converted my snort log (snort -r ) and got this among other
> > > things.  I just want to know how (or where) I can interpret this:
> > >
> > > 04/07-19:33:15.831746 xx.xx.xx.xx -> yy.yy.yy.yy
> > > ICMP TTL:128 TOS:0x0 ID:58635 IpLen:20 DgmLen:56
> > > Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> > > ** ORIGINAL DATAGRAM DUMP:
> > > yy.yy.yy.yy:53 -> xx.xx.xx.xx:17418
> > > UDP TTL:239 TOS:0x0 ID:63931 IpLen:20 DgmLen:158
> > > Len: 138
> > > ** END OF DUMP
> > >
> > > where xx = internal and yy = external.
> > >
> > > --
> > > "The circumstances of ones birth are irrelevant.
> > > It is what you do with the gift of life that
> > > determines who you are."  -- MewTwo
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > --
> >
> > s h a w n   m o y e r
> > shawn at ...1184...
> >
> > "Nuclear war would really set back cable."
> >                              -- Ted Turner
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list