[Snort-users] (no subject)

Jim Brown jpb at ...10281...
Mon Dec 1 19:56:01 EST 2003


* CGhercoias at ...8619... <CGhercoias at ...8619...> [2003-12-01 13:35]:
> Hi,
> 
> In the past few days our snort was recording this types of alerts.
> Both 177.x.x.x and 177.y.y.y are on the same network segment and are
> inside of the company, firewalled from Internet.
> In a short period of time (between 2003-11-28 11:11:24 and 2003-11-28
> 11:26:20 -- 15 minutes), snort recorded roughly 44.000 alerts.
> Does anyone know what they mean?
> 
> Any help will be appreciated.
> Thank you,
> Thank you, 
> ___________________________
> Catalin Ghercoias 
> WEB/Network Security Administrator 
> 
> <<<<<<<<<<<<<<<<<<DATA FROM SNORT>>>>>>>>>>>>>>>>>>>
> 
> AlertsGenerated by ACID v0.9.6b23 on Mon,  1 Dec 2003 13:20:39 -0500
> 
> ------------------------------------------------------------------------
> ------
> #(3 - 1249126) [2003-11-28 11:11:24] [snort/1322]  BAD-TRAFFIC bad frag
> bits
> IPv4: 177.x.x.x -> 177.y.y.y
>       hlen=5 TOS=0 dlen=1500 ID=15379 flags=1 offset=59420 TTL=64
> chksum=20975
> ICMP: type=Echo Reply code=
>       checksum= id= seq=
> Payload:  length = 1480
> 
> 000 : 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47   89:;<=>?@ABCDEFG
> 010 : 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57   HIJKLMNOPQRSTUVW
> 020 : 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 64 65 66 67   XYZ[\]^_`abcdefg
> 030 : 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77   hijklmnopqrstuvw

[snip]

You might check your Cisco logs.  Cisco IOS has the ability
to send ICMP echo request at essentially wire speed.  I've done
them myself for certain kinds of performance testing.

Sounds to me like someone did an 'enable' ping and set various options.

Best Regards,
jpb
===




More information about the Snort-users mailing list