[Snort-users] ICMP Time-To-Live Exceeded in Transit

Erwin Van de Velde erwin.vandevelde at ...10361...
Tue Dec 23 04:03:04 EST 2003


Hi,

By popular demand, here is some more information :-) 
I discovered something by taking a closer look:

The alerts are on inbound packets, with as payload 
org. source ip: 192.168.0.2
org source port: 2048 (ALWAYS!!!???) <<===
org dest ip: differs, external ip's
org dest port: differs, between 40000 and 60000

I didn't read all the alerts as there are to many, but I tested +/- 20 of them 
and these were the results...
I do not think it's a virus, as I'm running a virus scanner (Norton AV 2003) 
there, which is fully updated. I'm especially concerned about the fixed 
source port now... 
Does anybody know about this?

Thanks in advance,
Erwin Van de Velde
Student of Antwerp University,
Belgium



On Tuesday 23 December 2003 12:26, Edin Dizdarevic wrote:
> Hi,
>
> what is in the payload? Those ICMP-packets (usually) transport 8 bytes
> of the packet's header that caused the error. If the originate packets
> are comming from your host(s), than you may probably often use
> traceroute ;). If not, consider creating a passrule for those packets.
> Where is your sensor sitting? On the router or on your computer? You may
> also consider running Snort behind your packet filter (if you have one).
> Your NATing router should only forward ICMP errors that related to your
> connections. *DO NOT BLOCK ICMP* completely, since that may cause more
> problems as it solves.
>
> Hm, the more I think about your problem, the more it is becoming clear
> to me that you simply provided a bit to less information ;) .
>
> Regards,
> Edin
>
> Erwin Van de Velde schrieb:
> > Hi,
> >
> > I'm using snort 2.1.0 and I'm getting quite a lot of these alerts
> > (43% of the total of alerts). All packets that are logged, are going
> > to a computer behind my router. I'm using NAT on the router, and my
> > internal network has only one computer behind it: 192.168.0.2. Router
> > has (DHCP configured IP, 192.168.0.1) as IP addresses. What can I do
> > to get rid of all these messages, except disabling this rule? Is
> > there a way to tweak snort, so that it does not generate these false
> > positives anymore? Is it an error caused by shorewall, that I use on
> > the router for NAT, or is there another reason why these alerts are
> > generated?
> >
> > Thanks in advance,
> >
> > Erwin Van de Velde Student of Antwerp University Belgium
>
> [...]





More information about the Snort-users mailing list