[Snort-users] [Q] What could cause this?

stefmit at ...384... stefmit at ...384...
Thu Jan 18 13:30:16 EST 2001


 As of yesterday morning the majority of my DMZ NT based 
machines started triggering snort to record the following type of 
messages:

1. DMZ machines <--> internal network machines the following 
type:


[**] ICMP Unknown Type [**]
01/18-10:27:02.977091 8:0:36:1:2:A8 -> 8:0:20:90:31:78 
type:0x800 len:0x4A
my_DMZ_placed_machine_IP -> different 
internally_placed_machines_Ip 
ICMP TTL:128 TOS:0x0 ID:7407 
ID:2   Seq:4  ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  
abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi


2. DMZ machines <--> external (Internet) various machines

[**] ICMP Unknown Type [**]
01/18-10:23:12.355771 8:0:36:1:2:A8 -> 8:0:20:90:31:78 
type:0x800 len:0x5EA
my_DMZ_placed_machine_IP -
>Various_IP_valid_INternet_addressed_machines 
ICMP TTL:128 TOS:0x0 ID:3049  DF
ID:47423   Seq:61662  ECHO REPLY
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
..... on-and-on 

Any hints on what might be causing this type of traffic (tried 
searching on whitehats.com, google.com, deja.com, but nothing 
like the above, with zero-only fields, or with abcdef... sequence ?!?) 
Any
better methods for searching these?

I am getting logs of approx. 10-15MB/day

Thx in advance,
Stef




More information about the Snort-users mailing list