[Snort-users] Suspicious ICMP traces

Cessna, Michael MCessna at ...3439...
Tue Oct 23 12:14:34 EDT 2001


I have been seeing these messages lately also. I traced it down to a program
called IMESH. It is a napster like file sharing prog. Seems that the program
will ping the connected clients every minute. If you turn on the ICMP
Speedera rule with the internal network as the source you can see what pc's
these pings are originating from.
I only put the two together when I installed a new sensor and forgot to
uncomment the var $HOMENET all line. Then when I looked in ACID I noticed
all the ICMP unreachable messages had a corresponding ICMP Speedera alert. I
checked the machine it was coming from (I knew the node was MS2K so I wanted
to find out what was going on with a BSD type ping packet coming from a MS
node). Found that IMESH was running and found that it was the originator of
the ping packets. I'm assuming that the programmer ported the code from a
*NIX box since MS pings don't look like this.

I'm looking into creating a policy rule to catch anyone using this prog.
I'll post it when I get a chance to write it.

I remember reading that requests were made to Speedera to alter their ping
packet to differentiate their service from info-gathering attempts, does
anyone know if they have done anything about it?

Mike

-----Original Message-----
From: Ofir Arkin [mailto:ofir at ...949...]
Sent: Tuesday, October 23, 2001 12:44 PM
To: 'Demetri Mouratis'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Suspicious ICMP traces


Demetri,

This not seems as a tunneled message. This is simply the echoed
information from the original offending packet, each and every ICMP
Error message carries with it (usually the IP header + 8 data bytes of
the offending packet.

Now, the type of message you are seeing is ICMP Port Unreachable -
Communication Administratively Prohibited. 

According to the trace you provided, IP 12.125.63.42 tried to
communicate with IP 192.168.75.5 (I bet this is a replaced IP, since
192.168.*.* is a reserved class B). From the trace provided we can see
that 12.125.63.42 tried to access port 137 on the target.

Some filtering device between the two prohibited the communication. It
can be a router or any other filtering device (even a firewall
configured to REJECT rather then DROP). This message notified the
sending side that this kind of communication is not allowed.

You can read more on this issue from my research paper "ICMP Usage In
Scanning" available from http://www.sys-security.com. Page 19: "The
Error message indicates that the destination system is configured to
reject datagrams from the sending system. This error is used when
datagrams based on some sort of criteria are being filtered by a
filtering device (firewall/router/other filtering devices) restrictions
or other security
measures. We can conclude that our Destination Host is up and running,
but we cannot reach it, since the filtering device is blocking our
packets, and is instructing us to stop sending datagrams."

I hope this helps you out.

Ofir Arkin [ofir at ...949...]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Demetri
Mouratis
Sent: ג 23 אוקטובר 2001 8:23
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Suspicious ICMP traces

Hello.  I'm interested in finding out what this packet trace might
represent.  I've done some reading on the subject and this looks like
some
kind of ICMP tunnel to me.  Specifically, I'm worrried that this might
be
a Loki type tunnel.

I'm not really sure so I thought I'd pass this along for second
opinions.  
One thing that raised my suspicions was that the ICMP packet seems to
contain a UDP datagram within it.  (Or am I jumping the gun on that?)

So, here is the relevant portion of alert:

[**] [1:485:1] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
10/21-20:21:24.622037 12.125.63.42 -> 192.168.75.7
ICMP TTL:246 TOS:0x0 ID:64752 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
192.168.75.7:137 -> 216.73.128.3:137
UDP TTL:112 TOS:0x0 ID:50100 IpLen:20 DgmLen:96
Len: 76
** END OF DUMP

I've got maybe 10,000 of these over a few day period.  I'm also seeing
portscans from 192.168.75.7 so I'm pretty sure something is not right
here.

Thanks in advance for any help you can provide.  


---------------------------------------------------------------------
Demetri Mouratis
dmourati at ...3878...


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011023/06ae216a/attachment.html>


More information about the Snort-users mailing list