[Snort-users] Suspicious ICMP traces
ryan at ...35...
Tue Oct 23 08:31:06 EDT 2001
On Tue, 23 Oct 2001, Demetri Mouratis wrote:
> I'm not really sure so I thought I'd pass this along for second opinions.
> One thing that raised my suspicions was that the ICMP packet seems to
> contain a UDP datagram within it. (Or am I jumping the gun on that?)
ICMP unreachable messages contain a portion of the original packet, so
that the hosts can determine which packet was rejected.
> So, here is the relevant portion of alert:
> [**] [1:485:1] ICMP Destination Unreachable (Communication
> Administratively Prohibited) [**]
> 10/21-20:21:24.622037 22.214.171.124 -> 192.168.75.7
Are you 126.96.36.199? Is 192.168.75.7 the real attacker address, or have
you sanitized it? That's a RFC1918 address.
> I've got maybe 10,000 of these over a few day period. I'm also seeing
> portscans from 192.168.75.7 so I'm pretty sure something is not right
Well, if you're sending ICMP unreachables in response to being
protscanned, that's pretty much what is supposed to happen.
More information about the Snort-users