[Snort-users] ICMP Time-To-Live Exceeded in Transit

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Dec 23 04:45:01 EST 2003


1. ?

2. ?

3. ?

4. ?


Erwin Van de Velde schrieb:

> Hi,
> By popular demand, here is some more information :-) 
> I discovered something by taking a closer look:
> The alerts are on inbound packets, with as payload 
> org. source ip:
> org source port: 2048 (ALWAYS!!!???) <<===
> org dest ip: differs, external ip's
> org dest port: differs, between 40000 and 60000
> I didn't read all the alerts as there are to many, but I tested +/- 20 of them 
> and these were the results...
> I do not think it's a virus, as I'm running a virus scanner (Norton AV 2003) 
> there, which is fully updated. I'm especially concerned about the fixed 
> source port now... 
> Does anybody know about this?
> Thanks in advance,
> Erwin Van de Velde
> Student of Antwerp University,
> Belgium
> On Tuesday 23 December 2003 12:26, Edin Dizdarevic wrote:
>>what is in the payload? Those ICMP-packets (usually) transport 8 bytes
>>of the packet's header that caused the error. If the originate packets
>>are comming from your host(s), than you may probably often use
>>traceroute ;). If not, consider creating a passrule for those packets.
>>Where is your sensor sitting? On the router or on your computer? You may
>>also consider running Snort behind your packet filter (if you have one).
>>Your NATing router should only forward ICMP errors that related to your
>>connections. *DO NOT BLOCK ICMP* completely, since that may cause more
>>problems as it solves.
>>Hm, the more I think about your problem, the more it is becoming clear
>>to me that you simply provided a bit to less information ;) .
>>Erwin Van de Velde schrieb:
>>>I'm using snort 2.1.0 and I'm getting quite a lot of these alerts
>>>(43% of the total of alerts). All packets that are logged, are going
>>>to a computer behind my router. I'm using NAT on the router, and my
>>>internal network has only one computer behind it: Router
>>>has (DHCP configured IP, as IP addresses. What can I do
>>>to get rid of all these messages, except disabling this rule? Is
>>>there a way to tweak snort, so that it does not generate these false
>>>positives anymore? Is it an error caused by shorewall, that I use on
>>>the router for NAT, or is there another reason why these alerts are
>>>Thanks in advance,
>>>Erwin Van de Velde Student of Antwerp University Belgium

Edin Dizdarevic
Networking Development
System Developer

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic at ...7509...
URL     http://www.interActive-Systems.de/security

More information about the Snort-users mailing list