[Snort-users] Alerts of the ICMP relationship with smtp connection?

Briggs, Bruce Bruce.Briggs at ...13183...
Tue Jun 7 06:37:06 EDT 2005


Since these are echo request (ping) ICMP packets, they are not likely to
be caused by PMTU checking.
However, some server do a ping prior to sending, to make sure that the
far end is up.

You need to inspect the ICMP packet to see if it is a big (near 1500
bytes) or small packet, if the do not fragment bit is set, etc. to try
to ascertain why this may be sent by the sending software.

Perhaps you should as the software provider why it sends out ICMP
packets.

Bruce

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paulo
Sent: Tuesday, June 07, 2005 7:59 AM
To: Bob Konigsberg
Cc: Snort.org List
Subject: RE: [Snort-users] Alerts of the ICMP relationship with smtp
connection?

Hi Bob,

Thanks by help. The message below is my original
message. After this message, I have searching an
answer to this question.

In a test, I was seeing the maillog of the postfix
while the postfix sends the mail. Together i was
seeing the alert log of the Snort too.

The alerts on snort are generated exactly while the
postfix sends mails.

The files that I was seeing is /var/log/maillog and
/var/log/snort/alert.
 
I think that the alerts are harmless traffic, but i'd
like to understand why it's generated.

Thanks by help again.


ORIGINAL MESSAGE:
I am using Snort version  Version 2.3.2 (Build
12).
I have in my snort logs the alerts:

366 - ICMP Ping *nix
384 - ICMP Ping
368 - Ping BSDtype
 
I investigated my others systems logs and in the
time
that this alert is recorded is the same that
registered smtp connection in the maillog arquive from
my postfix server.

The source IP address in snort's log is equal the
destination IP address in the maillog to smtp
connection.
 
This alerts can to be generated by my mail server when
it sends mails?
 
This alerts is a false positive?
 
Thanks by help


--- Bob Konigsberg <bobkberg at ...12746...> wrote:

> ICMP type 8 is an echo request - someone is trying
> to ping you - probably in
> an attempt to map out your network.
> 
> Bob 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Paulo
> Sent: Monday, June 06, 2005 12:51 PM
> To: Frank Knobbe
> Cc: Snort.org List
> Subject: Re: [Snort-users] Alerts of the ICMP
> relationship with smtp
> connection?
> 
> Thanks Frank,
> 
> How can I to confirm this? The alerts are ICMP type
> 8.
> 
> 
> Thanks by help again.
> 
> --- Frank Knobbe <frank at ...9761...> wrote:
> 
> > On Mon, 2005-05-30 at 13:40 -0700, Paulo wrote:
> > > I didn't solve this yet. Please, anyone can help
> > me?
> > 
> > Maybe you didn't get responses because it's not a
> Snort related issue.
> > 
> > To answer your question, read up on Path Maximum
> Transmit Unit (PMTU) 
> > Discovery by googling it. Here a couple links that
> Google spit out 
> > right away.
> > 
> > http://www.netheaven.com/pmtu.html
> > which also references
> > ftp://ftp.rfc-editor.org/in-notes/rfc1191.txt
> > 
> > While you are learning about PTMU, please review
> your firewall rule 
> > set and make sure you don't block ALL inbound ICMP
> packets. Please let 
> > at least type 3 and type 11 ICMP packets through.
> > 
> > (Hint: The remote mail servers are sending a large
> ICMP packet in 
> > order to discover the MTU between them and you. It
> is harmless 
> > traffic.)
> > 
> > Hope that helps,
> > Frank
> > 
> > 
> 
> 
> 
> 		
> __________________________________
> Discover Yahoo! 
> Find restaurants, movies, travel and more fun for
> the weekend. Check it out!
> 
> http://discover.yahoo.com/weekend.html 
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.
>  How far can you
> shotput
> a projector? How fast can you ride your desk chair
> down the office luge
> track?
> If you want to score the big prize, get to know the
> little guy.  
> Play to win an NEC 61" plasma display:
> http://www.necitguy.com/?r=20
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 



		
__________________________________ 
Discover Yahoo! 
Use Yahoo! to plan a weekend, have fun online and more. Check it out! 
http://discover.yahoo.com/


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
shotput
a projector? How fast can you ride your desk chair down the office luge
track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list