[Snort-users] ICMP Destination ... (Port Unreachable) Help

Brian Blake BBlake at ...8135...
Tue Jan 28 14:07:10 EST 2003


In the past two day's I have had a machine generating over 5k hits a day.
The traffic shows up via snort as ICMP Destination Unreachable (Port
Unreachable).  The machine in question has sent this same traffic two about
10 different address, but both on the same day.  I have talked with two
other people who know networking and TCP/IP and they are just as stumped.
The system is running upto date with McAfee Virusscan 4.51 sp1.  Below you
will find the info extracted from snort.  I researched port 137 scans on
Sans Website with no real help.
(http://www.sans.org/resources/idfaq/port_137.php) Any help is greatly
appreciated.  (IP's removed to be nice)


#(1 - 43761) [2003-01-28 13:23:56] [snort/402]  ICMP Destination Unreachable
(Port Unreachable)
IPv4: ***.***.***.*** -> 192.168.2.17
      hlen=5 TOS=192 dlen=106 ID=20950 flags=0 offset=0 TTL=239 chksum=48542
ICMP: type=Destination Unreachable code=Port Unreachable
      checksum=47270 id= seq=
Payload:  length = 82

000 : 00 00 00 00 45 00 00 4E EF 8B 00 00 6F 11 A0 B5   ....E..N....o...
010 : C0 A8 02 11 0C 9E EC 06 00 89 00 89 00 3A 83 B9   .............:..
020 : 81 17 00 00 00 01 00 00 00 00 00 00 20 43 4B 41   ............ CKA
030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21   AAAAAAAAAAAAA..!
050 : 00 01                                             ..

#(1 - 43816) [2003-01-28 13:24:10] [snort/402]  ICMP Destination Unreachable
(Port Unreachable)
IPv4: ***.***.***.*** -> 192.168.2.17
      hlen=5 TOS=192 dlen=106 ID=35055 flags=0 offset=0 TTL=250 chksum=57558
ICMP: type=Destination Unreachable code=Port Unreachable
      checksum=21333 id= seq=
Payload:  length = 82

000 : 00 00 00 00 45 00 00 4E 5F 80 00 00 7B 11 8A 12   ....E..N_...{...
010 : C0 A8 02 11 50 43 43 10 00 89 00 89 00 3A E8 24   ....PCC......:.$
020 : 81 FD 00 00 00 01 00 00 00 00 00 00 20 43 4B 41   ............ CKA
030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21   AAAAAAAAAAAAA..!
050 : 00 01                                             ..



Brian Blake
PC Technician
Information Services
American Background Information Services, Inc.   


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030128/2a822edf/attachment.html>


More information about the Snort-users mailing list