[Snort-users] ICMP messages

Neil Sandow rxlist at ...10041...
Mon Sep 8 19:33:03 EDT 2003


On Mon, 8 Sep 2003, Matt Kettler wrote:

> At 12:03 PM 9/5/2003 -0700, Neil Sandow wrote:
>
> >Is this the result of a client (128.252.140.114) behind a firewall making
> >an http request that the firewall (128.252.1.229 ?) does not allow?
> >
> >Thanks! -Neil
>
> No, this is a result of a client (129.250.146.18) making a request http
> request to a "server" (128.252.140.114) that the firewall protecting the
> "server" (128.252.1.229) did not allow.
>
> You've got the right basics, but you're mis-identifying the client and the
> "server".
>
> (note: in this case I quoted "server" because your client is treating it as
> if it were a webserver, but the behavior of the firewall indicates that
> it's clearly not intended to be a webserver)
>
>
> The ICMP message itself is from the firewall, and sent to the originator of
> the communication that was blocked. The ICMP message also contains a short
> quotation of the headers of the offending packet, showing what was
> attempting to traverse the firewall that it refused.
>

But the very first packet in the series was:

<snip>
---------------------------------------------------------------------------
Packet 294372
TIME:   11:23:21.607182 (0.003618)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP:   128.252.140.114 -> 129.250.146.18 hlen=20 TOS=00 dgramlen=48
id=D91D
        MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F
 TCP:   port 1105 -> 80 seq=0013134530 ack=0000000000
        hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA:   <No data>
---------------------------------------------------------------------------

indicating that 128.252.140.114 (port 1105) made a request to
129.250.146.18 (port 80) which was then ack'd and so on leading to the
firewall ICMP messages.  That's why I refer to 129.250.146.18 as the
'server' and 128.252.140.114 as the 'client'.   This is wrong?

-Neil





More information about the Snort-users mailing list