[Snort-users] Suspicious ICMP traces

Ryan Russell ryan at ...35...
Tue Oct 23 08:31:06 EDT 2001


On Tue, 23 Oct 2001, Demetri Mouratis wrote:

> I'm not really sure so I thought I'd pass this along for second opinions.
> One thing that raised my suspicions was that the ICMP packet seems to
> contain a UDP datagram within it.  (Or am I jumping the gun on that?)

ICMP unreachable messages contain a portion of the original packet, so
that the hosts can determine which packet was rejected.

>
> So, here is the relevant portion of alert:
>
> [**] [1:485:1] ICMP Destination Unreachable (Communication
> Administratively Prohibited) [**]
> 10/21-20:21:24.622037 12.125.63.42 -> 192.168.75.7

Are you 12.125.63.42?  Is 192.168.75.7 the real attacker address, or have
you sanitized it?  That's a RFC1918 address.

> I've got maybe 10,000 of these over a few day period.  I'm also seeing
> portscans from 192.168.75.7 so I'm pretty sure something is not right
> here.

Well, if you're sending ICMP unreachables in response to being
protscanned, that's pretty much what is supposed to happen.

					Ryan





More information about the Snort-users mailing list