[Snort-users] ICMP messages

Neil Sandow rxlist at ...10041...
Mon Sep 8 19:33:03 EDT 2003

On Mon, 8 Sep 2003, Matt Kettler wrote:

> At 12:03 PM 9/5/2003 -0700, Neil Sandow wrote:
> >Is this the result of a client ( behind a firewall making
> >an http request that the firewall ( ?) does not allow?
> >
> >Thanks! -Neil
> No, this is a result of a client ( making a request http
> request to a "server" ( that the firewall protecting the
> "server" ( did not allow.
> You've got the right basics, but you're mis-identifying the client and the
> "server".
> (note: in this case I quoted "server" because your client is treating it as
> if it were a webserver, but the behavior of the firewall indicates that
> it's clearly not intended to be a webserver)
> The ICMP message itself is from the firewall, and sent to the originator of
> the communication that was blocked. The ICMP message also contains a short
> quotation of the headers of the offending packet, showing what was
> attempting to traverse the firewall that it refused.

But the very first packet in the series was:

Packet 294372
TIME:   11:23:21.607182 (0.003618)
LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
  IP: -> hlen=20 TOS=00 dgramlen=48
        MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F
 TCP:   port 1105 -> 80 seq=0013134530 ack=0000000000
        hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
DATA:   <No data>

indicating that (port 1105) made a request to (port 80) which was then ack'd and so on leading to the
firewall ICMP messages.  That's why I refer to as the
'server' and as the 'client'.   This is wrong?


More information about the Snort-users mailing list