[Snort-users] Biyarre ICMP Redirect Packets

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Tue Apr 10 13:05:14 EDT 2001


This is the packet trace I have seen using snort. What I dont understand is
why I see fragments of an SMTP session in it...
The corresponding entries in the maillog:

Apr 10 18:13:33 stahlw06 postfix/smtpd[29105]: connect from unknown[212.223.69.26]
Apr 10 18:13:33 stahlw06 postfix/smtpd[29105]: 6B3031450E: client=unknown[212.223.69.26]
Apr 10 18:13:34 stahlw06 postfix/smtpd[29105]: reject: RCPT from unknown[212.223.69.26]: 554 Client host rejected: cannot find your hostname, [212.223.69.26]; from=<handy-land at ...1782...> to=<myaddress at ...1783...>
Apr 10 18:13:40 stahlw06 postfix/smtpd[29105]: disconnect from unknown[212.223.69.26]

Is this some sort of ICMP tunnel?

[**] IDS135/icmp-redirect_host [**]
04/10-18:13:32.125747 212.223.69.17 -> 134.169.69.226
ICMP TTL:248 TOS:0xC0 ID:10621 IpLen:20 DgmLen:92
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 2C 72 05 40 00 36 06 EC 41  ..E.E..,r. at ...1784...
86 A9 45 E2 D4 DF 45 1A 00 19 08 FB 4B B0 3A DA  ..E...E.....K.:.
70 86 73 EB 60 12 80 00 BD 80 00 00 02 04 05 B4  p.s.`...........
00 00 00 00 01 00 00 00 C3 B6 72 52 D4 DF 45 11  ..........rR..E.
02 00 00 00                                      ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS135/icmp-redirect_host [**]
04/10-18:13:33.037389 212.223.69.17 -> 134.169.69.226
ICMP TTL:248 TOS:0xC0 ID:10648 IpLen:20 DgmLen:135
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 57 72 12 40 00 36 06 EC 09  ..E.E..Wr. at ...1785...
86 A9 45 E2 D4 DF 45 1A 00 19 08 FB 4B B0 3A DB  ..E...E.....K.:.
70 86 73 EB 50 18 80 00 3D 55 00 00 32 32 30 20  p.s.P...=U..220 
73 74 61 68 6C 77 30 36 2E 73 74 61 68 6C 2E 62  stahlw06.stahl.b
61 75 2E 74 75 2D 62 73 2E 64 65 20 45 53 4D 54  au.tu-bs.de ESMT
50 20 50 6F 73 74 66 69 78 0D 0A 63 6F 6D 0D 0A  P Postfix..com..
00 0E 10 00 01 00 00 00 00 8C A0 3A 80 00 01     ...........:...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS135/icmp-redirect_host [**]
04/10-18:13:33.281209 212.223.69.17 -> 134.169.69.226
ICMP TTL:248 TOS:0xC0 ID:10660 IpLen:20 DgmLen:88
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 28 72 15 40 00 36 06 EC 35  ..E.E..(r. at ...1786...
86 A9 45 E2 D4 DF 45 1A 00 19 08 FB 4B B0 3B 2B  ..E...E.....K.;+
70 86 74 26 50 10 80 00 D4 B2 00 00 00 00 00 00  p.t&P...........
00 00 15 85 01 00 00 00 32 35 30 20 6F 6B 0D 0A  ........250 ok..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS135/icmp-redirect_host [**]
04/10-18:13:33.626681 212.223.69.17 -> 134.169.69.226
ICMP TTL:248 TOS:0xC0 ID:10680 IpLen:20 DgmLen:96
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 30 72 18 40 00 36 06 EC 2A  ..E.E..0r. at ...1787...*
86 A9 45 E2 D4 DF 45 1A 00 19 08 FB 4B B0 3B 2B  ..E...E.....K.;+
70 86 74 26 50 18 80 00 15 D8 00 00 32 35 30 20  p.t&P.......250 
4F 6B 0D 0A 01 00 00 00 65 00 00 01 00 01 00 05  Ok......e.......
00 01 39 31 01 00 00 00                          ..91....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS135/icmp-redirect_host [**]
04/10-18:13:39.700795 212.223.69.17 -> 134.169.69.226
ICMP TTL:248 TOS:0xC0 ID:10964 IpLen:20 DgmLen:158
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 6E 72 5A 40 00 36 06 EB AA  ..E.E..nrZ at ...1785...
86 A9 45 E2 D4 DF 45 1A 00 19 08 FB 4B B0 3B 33  ..E...E.....K.;3
70 86 74 54 50 18 80 00 F0 E6 00 00 35 35 34 20  p.tTP.......554 
43 6C 69 65 6E 74 20 68 6F 73 74 20 72 65 6A 65  Client host reje
63 74 65 64 3A 20 63 61 6E 6E 6F 74 20 66 69 6E  cted: cannot fin
64 20 79 6F 75 72 20 68 6F 73 74 6E 61 6D 65 2C  d your hostname,
20 5B 32 31 32 2E 32 32 33 2E 36 39 2E 32 36 5D   [212.223.69.26]
0D 0A 00 00 01 00 00 00 02 00 01 00 02 A3 00 00  ................
01 00 00 00 27 00                                ....'.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


----- End forwarded message -----

-- 
ralf.hildebrandt at ...821...                            innominate AG
System Engineer                        Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698         





More information about the Snort-users mailing list