[Snort-users] ICMP Time-To-Live Exceeded in Transit
edin.dizdarevic at ...7509...
Tue Dec 23 04:45:01 EST 2003
Erwin Van de Velde schrieb:
> By popular demand, here is some more information :-)
> I discovered something by taking a closer look:
> The alerts are on inbound packets, with as payload
> org. source ip: 192.168.0.2
> org source port: 2048 (ALWAYS!!!???) <<===
> org dest ip: differs, external ip's
> org dest port: differs, between 40000 and 60000
> I didn't read all the alerts as there are to many, but I tested +/- 20 of them
> and these were the results...
> I do not think it's a virus, as I'm running a virus scanner (Norton AV 2003)
> there, which is fully updated. I'm especially concerned about the fixed
> source port now...
> Does anybody know about this?
> Thanks in advance,
> Erwin Van de Velde
> Student of Antwerp University,
> On Tuesday 23 December 2003 12:26, Edin Dizdarevic wrote:
>>what is in the payload? Those ICMP-packets (usually) transport 8 bytes
>>of the packet's header that caused the error. If the originate packets
>>are comming from your host(s), than you may probably often use
>>traceroute ;). If not, consider creating a passrule for those packets.
>>Where is your sensor sitting? On the router or on your computer? You may
>>also consider running Snort behind your packet filter (if you have one).
>>Your NATing router should only forward ICMP errors that related to your
>>connections. *DO NOT BLOCK ICMP* completely, since that may cause more
>>problems as it solves.
>>Hm, the more I think about your problem, the more it is becoming clear
>>to me that you simply provided a bit to less information ;) .
>>Erwin Van de Velde schrieb:
>>>I'm using snort 2.1.0 and I'm getting quite a lot of these alerts
>>>(43% of the total of alerts). All packets that are logged, are going
>>>to a computer behind my router. I'm using NAT on the router, and my
>>>internal network has only one computer behind it: 192.168.0.2. Router
>>>has (DHCP configured IP, 192.168.0.1) as IP addresses. What can I do
>>>to get rid of all these messages, except disabling this rule? Is
>>>there a way to tweak snort, so that it does not generate these false
>>>positives anymore? Is it an error caused by shorewall, that I use on
>>>the router for NAT, or is there another reason why these alerts are
>>>Thanks in advance,
>>>Erwin Van de Velde Student of Antwerp University Belgium
iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
fon +49-(0)30 69 004-123
fax +49-(0)30 69 004-101
mail edin.dizdarevic at ...7509...
More information about the Snort-users