[Snort-users] ICMP Time-To-Live Exceeded in Transit

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Dec 23 04:45:01 EST 2003


Hi,

1. ?
http://www.google.com/search?q=port+2048&hl=de&lr=&ie=UTF-8&oe=UTF-8&start=10&sa=N


2. ?
http://www.iss.net/security_center/advice/Exploits/Ports/2048/default.htm

3. ?
http://lists.jammed.com/incidents/2003/08/index.html#306

4. ?
TCP/UDP

Regards,
Edin



Erwin Van de Velde schrieb:

> Hi,
> 
> By popular demand, here is some more information :-) 
> I discovered something by taking a closer look:
> 
> The alerts are on inbound packets, with as payload 
> org. source ip: 192.168.0.2
> org source port: 2048 (ALWAYS!!!???) <<===
> org dest ip: differs, external ip's
> org dest port: differs, between 40000 and 60000
> 
> I didn't read all the alerts as there are to many, but I tested +/- 20 of them 
> and these were the results...
> I do not think it's a virus, as I'm running a virus scanner (Norton AV 2003) 
> there, which is fully updated. I'm especially concerned about the fixed 
> source port now... 
> Does anybody know about this?
> 
> Thanks in advance,
> Erwin Van de Velde
> Student of Antwerp University,
> Belgium
> 
> 
> 
> On Tuesday 23 December 2003 12:26, Edin Dizdarevic wrote:
> 
>>Hi,
>>
>>what is in the payload? Those ICMP-packets (usually) transport 8 bytes
>>of the packet's header that caused the error. If the originate packets
>>are comming from your host(s), than you may probably often use
>>traceroute ;). If not, consider creating a passrule for those packets.
>>Where is your sensor sitting? On the router or on your computer? You may
>>also consider running Snort behind your packet filter (if you have one).
>>Your NATing router should only forward ICMP errors that related to your
>>connections. *DO NOT BLOCK ICMP* completely, since that may cause more
>>problems as it solves.
>>
>>Hm, the more I think about your problem, the more it is becoming clear
>>to me that you simply provided a bit to less information ;) .
>>
>>Regards,
>>Edin
>>
>>Erwin Van de Velde schrieb:
>>
>>>Hi,
>>>
>>>I'm using snort 2.1.0 and I'm getting quite a lot of these alerts
>>>(43% of the total of alerts). All packets that are logged, are going
>>>to a computer behind my router. I'm using NAT on the router, and my
>>>internal network has only one computer behind it: 192.168.0.2. Router
>>>has (DHCP configured IP, 192.168.0.1) as IP addresses. What can I do
>>>to get rid of all these messages, except disabling this rule? Is
>>>there a way to tweak snort, so that it does not generate these false
>>>positives anymore? Is it an error caused by shorewall, that I use on
>>>the router for NAT, or is there another reason why these alerts are
>>>generated?
>>>
>>>Thanks in advance,
>>>
>>>Erwin Van de Velde Student of Antwerp University Belgium
>>
>>[...]
> 
> 
> 

-- 
Edin Dizdarevic
Networking Development
System Developer

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic at ...7509...
URL     http://www.interActive-Systems.de/security





More information about the Snort-users mailing list