[Snort-users] A question about TFN icmp alert IDS183

Ed Padin ohdamnthathurts at ...131...
Tue Jan 16 12:58:58 EST 2001


Greets,

I have a question about an alert I got recently. I'm trying to determine if
it's a cause for concern.

I have two Linux servers. One of them is running the big brother network
monitoring application. The other is a web server accessible to the world
and runs the bigbro client. I don't think that bigbro does any weird ICMP
stuff...


I got a syslog alert like this:

Jan 15 19:26:35 snortserver snort[6996]: IDS183/ddos-tfn-client-command-le:
X.X.X.106 -> Y.Y.Y.30


I looked at the packet data and found this:

[**] IDS183/ddos-tfn-client-command-le [**]
01/15-19:26:56.200876 X.X.X.106 -> Y.Y.Y.30
ICMP TTL:252 TOS:0x0 ID:1926
ID:51201   Seq:0  ECHO REPLY
50 95 63 3A 01 D9 01 00 08 09 0A 0B 0C 0D 0E 0F  P.c:............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567



Both boxes are running tripwire from the day the OS was installed and
tripwire's not complaining. What's the likelihood that this is a false
alert? Is there any type of 'normal' behavior that can lead to an ICMP
packet getting an icmp_id of 51201?


BTW: Here's the link to Max's database http://www.whitehats.com/info/IDS183


Thanks.






More information about the Snort-users mailing list