[Snort-users] ICMP messages

Neil Sandow rxlist at ...10041...
Fri Sep 5 12:04:07 EDT 2003


I'm trying to get to the bottom of alert messages like this one:


[**] [1:485:2] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
09/05-11:23:30.729265 128.252.1.229 -> 129.250.146.18
ICMP TTL:245 TOS:0x0 ID:1981 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
129.250.146.18:0 -> 128.252.140.114:0
TCP TTL:52 TOS:0x0 ID:11009 IpLen:20 DgmLen:44
Seq: 0x6E4516BA  Ack: 0xA2D4583F
** END OF DUMP


While I had snort running I was also running tcpdump so I could get a
fuller picture on the traffic from complaining ip's.

With the above alert I found several packets in the binary dump from
tcpdump indicating that 128.252.140.114 had connected to port 80 and
requested a web page:


<snip>
---------------------------------------------------------------------------
Packet 294372
TIME:   11:23:21.607182 (0.003618)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48
id=D91D
        MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F
 TCP:   port 1105 -> 80 seq=0013134530 ack=0000000000
        hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA:   <No data>
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 294373
TIME:   11:23:21.607497 (0.000315)
LINK:   00:10:5A:82:D3:69 -> 00:01:97:4B:A2:9E type=IP
  IP:   129.250.146.18 -> 128.252.140.114 hlen=20 TOS=00 dgramlen=44
id=236A
        MF/DF=0/0 frag=0 TTL=63 proto=TCP cksum=36E7
 TCP:   port 80 -> 1105 seq=1850021562 ack=0013134531
        hlen=24 (data=0) UAPRSF=010010 wnd=65535 cksum=816F urg=0
DATA:   <No data>
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 294398
TIME:   11:23:21.663391 (0.006901)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.1.229 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=56 id=07A1
        MF/DF=0/0 frag=0 TTL=245 proto=ICMP cksum=2736
ICMP:   destination-unreachable because trafffic-prohibited-by-filter
cksum=7352
DATA:   ....E..,#j..4.A........r.P.QnE..
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 295885
TIME:   11:23:24.658763 (0.000513)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.1.229 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=56 id=07AA
        MF/DF=0/0 frag=0 TTL=245 proto=ICMP cksum=272D
ICMP:   destination-unreachable because trafffic-prohibited-by-filter
cksum=7352
DATA:   ....E..,'...4.>5.......r.P.QnE..
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 295905
TIME:   11:23:24.678611 (0.000203)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48
id=DB1D
        MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0B2F
 TCP:   port 1105 -> 80 seq=0013134530 ack=0000000000
        hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA:   <No data>
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 295907
TIME:   11:23:24.678876 (0.000214)
LINK:   00:10:5A:82:D3:69 -> 00:01:97:4B:A2:9E type=IP
  IP:   129.250.146.18 -> 128.252.140.114 hlen=20 TOS=00 dgramlen=44
id=2729
        MF/DF=0/0 frag=0 TTL=63 proto=TCP cksum=3328
 TCP:   port 80 -> 1105 seq=1850021562 ack=0013134531
        hlen=24 (data=0) UAPRSF=010010 wnd=65535 cksum=816F urg=0
DATA:   <No data>
---------------------------------------------------------------------------

<snip>

---------------------------------------------------------------------------
Packet 296437
TIME:   11:23:26.327234 (0.035164)
LINK:   00:10:5A:82:D3:69 -> 00:01:97:4B:A2:9E type=IP
  IP:   129.250.146.18 -> 128.252.140.114 hlen=20 TOS=00 dgramlen=1500
id=5F54
        MF/DF=0/1 frag=0 TTL=63 proto=TCP cksum=B54C
 TCP:   port 80 -> 1107 seq=3732292037 ack=0013139065
        hlen=20 (data=1460) UAPRSF=010000 wnd=65535 cksum=004F urg=0
DATA:   HTTP/1.1 200 OK.
        Date: Fri, 05 Sep 2003 18:23:25 GMT.
        Server: Apache/1.3.23 (Unix) mod_perl/1.27.
        Keep-Alive: timeout=15, max=100.
        Connection: Keep-Alive.
        Transfer-Encoding: chunked.
        Content-Type: text/html.
        .
        fe7.

        <html>
        <head>
        <title>RxList drug search results page yields brand generic
        therapeutic category with links to professional and patient
        oriented monographs"</title>
        <meta http-equiv="Content-Type" content="text/html; charset=
        iso-8859-1">
        <STYLE TYPE="text/css">

        a:link {
                color:6600FF;
                font-family: verdana,arial,helvetica;
                }

        a:visited {
                color:990000;
                font-family: verdana,arial,helvetica;
                }

        a:hover {
                font-family: verdana,arial,helvetica;
                }

        a:active {
                color:006600;
                font-family: verdana,arial,helvetica;
                }

        BODY, TD                { font-size: 12px ; color: #000000;
font-family: v
        erdana,arial,helvetica;}


        .txt10bk        { color: #000000; font-size: 10px ; font-weight:
10
        0%; font-family: verdana,arial,helvetica;}
        .txt11bk        { color: #000000; font-size: 11px ; font-weight:
10
        0%; font-family: verdana,arial,helvetica;}
        .txt12bk        { color: #000000; font-size: 12px ; font-weight:
10
        0%; font-family: verdana,arial,helvetica;}
        .txt13bk        { color: #000000; font-size: 13px ; font-weight:
10
        0%; font-family: verdana,arial,helvetica;}
        .txt14bk        { color: #000000; font-size: 14px ; font-weight:
10
        0%; font-family: verdana,arial,helvetica;}

        .btxt10bk       { color: #000000; font-size: 10px ; font-weight: 7
        00; font-family: verdana,arial,helvetica;}
        .btxt11bk       { col
---------------------------------------------------------------------------
<snip>
---------------------------------------------------------------------------
Packet 298420
TIME:   11:23:30.729259 (0.002923)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.1.229 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=56 id=07BD
        MF/DF=0/0 frag=0 TTL=245 proto=ICMP cksum=271A
ICMP:   destination-unreachable because trafffic-prohibited-by-filter
cksum=7352
DATA:   ....E..,+...4.:P.......r.P.QnE..
---------------------------------------------------------------------------

Is this the result of a client (128.252.140.114) behind a firewall making
an http request that the firewall (128.252.1.229 ?) does not allow?

Thanks! -Neil



                               ===================
                        Neil Sandow, Pharm.D. rx at ...10041...
                     http://rxlist.com - The Internet Drug Index






More information about the Snort-users mailing list