[Snort-users] Is this a bug??
sun.admin at ...530...
Thu Sep 20 22:17:02 EDT 2001
> Hi Gurus,
> I am still very new to snort. I was check my log and I saw something very
> interesting which I can't explain. I've seen something like that a lots of
> time , my box is sending out icmp port unreachable to 205.188.153.X (icq
> servers) , and I am running icq.
> [**] [1:402:1] ICMP Destination Unreachable (Port Unreachable) [**]
> 09/19-02:17:36.066612 a.b.c.20 -> 220.127.116.11
> ICMP TTL:64 TOS:0x0 ID:2112 IpLen:20 DgmLen:56 DF
> Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 18.104.22.168:0 -> a.b.c.20:0
> UDP TTL:231 TOS:0x0 ID:47112 IpLen:20 DgmLen:100
> ** END OF DUMP
> To my understanding ..this means 22.214.171.124 sent a udp packet to my
> (a.b.c.20) at port 0, then my box sent an icmp port unreachable packet to
> the sender.
> Port 0 to Port 0, seems very interesting ..However, when I did a
> mytcpdumpbinaryfile port 0" , I got nothing....I used ethereal to do a
> filtering on port 0..got nothing.. Well..but I saw this
> 02:17:36.065076 126.96.36.199.53 > a.b.c.20.2234: 1280 [b2&3=0x4d]
> [12306a] [51673q] [517n] Type7272 (Class 16384)? . (72) (DF)
> Pls note the timestamp. I believe my outgoing icmp packet is responding to
> the ??dns query to my udp port 2234
> I email icq support and ask them, they said this is not supported.
> Here's my question:
> 1) Did I read the snort log wrong? port 0 -> port 0?? I can't find any
thing went to my port 0 from tcpdump, how can snort find it??
> 2) Why is icq server initiating a traffic from a low port (53) to my high
> Any idea??
> thx in advance, I apperciate your help
> PS: Solaris7sparc(64bit) 300Mhz, 4Gb, 128Mb Snort 181 build 74
More information about the Snort-users