[Snort-users] Alerts of the ICMP relationship with smtp connection?

Briggs, Bruce Bruce.Briggs at ...13183...
Tue Jun 7 14:04:07 EDT 2005


The DF bit indicates that anything transferring the packet, such as a router, is not allowed to fragment the packet into smaller chucks to get it to it's destination.
This could be done by PMTU checking, but the packet size is quite small for PMTU.

I'm not sure why your server is sending these out.

It looks like you have 3 rules which are logging 1 ping packet.  Either that or the packet is being sent 3 times with identical info.

Bruce

-----Original Message-----
From: Paulo [mailto:listassec at ...131...] 
Sent: Tuesday, June 07, 2005 10:17 AM
To: Briggs, Bruce; Bob Konigsberg
Cc: Snort.org List
Subject: RE: [Snort-users] Alerts of the ICMP relationship with smtp connection?

Hi Bruce,

Thanks by help. Below is the snort alerts.
Where 200.201.202.203 is the IP address of the
destination from mail. And 200.201.101.102 is my IP
Address.

[**] [1:366:7] ICMP PING *NIX [**]
[Classification: Misc activity] [Priority: 3] 
05/18-10:27:22.866164 200.201.202.203 ->
200.201.101.102
ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:31252 Seq:1 ECHO

[**] [1:384:5] ICMP PING [**]
[Classification: Misc activity] [Priority: 3] 
05/18-10:27:22.866164 200.201.202.203 ->
200.201.101.102
ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:31252 Seq:1 ECHO 

[**] [1:368:6] ICMP PING BSDtype [**]
[Classification: Misc activity] [Priority: 3] 
05/18-10:27:23.865467 200.201.202.203 ->
200.201.101.102
ICMP TTL:54 TOS:0x0 ID:2 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:31252 Seq:2 ECHO
[Xref => http://www.whitehats.com/info/IDS152] 

The icmp packet is small and the flag DF is set on.
I was seeing the tcp packet size that my postfix sends
and it's with 1500 bytes of size.
The DF flag in icmp packet, mean that the destination
mail server is telling the postfix doesn´t fragment
packet?

Normally, the mails sends are with CorelDraw files
attachments, almost already with 1 Mb or more.

Thanks by help again.


--- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:

> Since these are echo request (ping) ICMP packets,
> they are not likely to
> be caused by PMTU checking.
> However, some server do a ping prior to sending, to
> make sure that the
> far end is up.
> 
> You need to inspect the ICMP packet to see if it is
> a big (near 1500
> bytes) or small packet, if the do not fragment bit
> is set, etc. to try
> to ascertain why this may be sent by the sending
> software.
> 
> Perhaps you should as the software provider why it
> sends out ICMP
> packets.
> 
> Bruce
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Paulo
> Sent: Tuesday, June 07, 2005 7:59 AM
> To: Bob Konigsberg
> Cc: Snort.org List
> Subject: RE: [Snort-users] Alerts of the ICMP
> relationship with smtp
> connection?
> 
> Hi Bob,
> 
> Thanks by help. The message below is my original
> message. After this message, I have searching an
> answer to this question.
> 
> In a test, I was seeing the maillog of the postfix
> while the postfix sends the mail. Together i was
> seeing the alert log of the Snort too.
> 
> The alerts on snort are generated exactly while the
> postfix sends mails.
> 
> The files that I was seeing is /var/log/maillog and
> /var/log/snort/alert.
>  
> I think that the alerts are harmless traffic, but
> i'd
> like to understand why it's generated.
> 
> Thanks by help again.
> 
> 
> ORIGINAL MESSAGE:
> I am using Snort version  Version 2.3.2 (Build
> 12).
> I have in my snort logs the alerts:
> 
> 366 - ICMP Ping *nix
> 384 - ICMP Ping
> 368 - Ping BSDtype
>  
> I investigated my others systems logs and in the
> time
> that this alert is recorded is the same that
> registered smtp connection in the maillog arquive
> from
> my postfix server.
> 
> The source IP address in snort's log is equal the
> destination IP address in the maillog to smtp
> connection.
>  
> This alerts can to be generated by my mail server
> when
> it sends mails?
>  
> This alerts is a false positive?
>  
> Thanks by help
> 
> 
> --- Bob Konigsberg <bobkberg at ...12746...> wrote:
> 
> > ICMP type 8 is an echo request - someone is trying
> > to ping you - probably in
> > an attempt to map out your network.
> > 
> > Bob 
> > 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]
> On
> > Behalf Of Paulo
> > Sent: Monday, June 06, 2005 12:51 PM
> > To: Frank Knobbe
> > Cc: Snort.org List
> > Subject: Re: [Snort-users] Alerts of the ICMP
> > relationship with smtp
> > connection?
> > 
> > Thanks Frank,
> > 
> > How can I to confirm this? The alerts are ICMP
> type
> > 8.
> > 
> > 
> > Thanks by help again.
> > 
> > --- Frank Knobbe <frank at ...9761...> wrote:
> > 
> > > On Mon, 2005-05-30 at 13:40 -0700, Paulo wrote:
> > > > I didn't solve this yet. Please, anyone can
> help
> > > me?
> > > 
> > > Maybe you didn't get responses because it's not
> a
> > Snort related issue.
> > > 
> > > To answer your question, read up on Path Maximum
> > Transmit Unit (PMTU) 
> > > Discovery by googling it. Here a couple links
> that
> > Google spit out 
> > > right away.
> > > 
> > > http://www.netheaven.com/pmtu.html
> > > which also references
> > > ftp://ftp.rfc-editor.org/in-notes/rfc1191.txt
> > > 
> > > While you are learning about PTMU, please review
> > your firewall rule 
> > > set and make sure you don't block ALL inbound
> ICMP
> > packets. Please let 
> > > at least type 3 and type 11 ICMP packets
> through.
> > > 
> > > (Hint: The remote mail servers are sending a
> large
> > ICMP packet in 
> > > order to discover the MTU between them and you.
> It
> > is harmless 
> > > traffic.)
> > > 
> > > Hope that helps,
> > > Frank
> > > 
> > > 
> > 
> > 
> > 
> > 		
> > __________________________________
> > Discover Yahoo! 
> > Find restaurants, movies, travel and more fun for
> > the weekend. Check it out!
> > 
> > http://discover.yahoo.com/weekend.html 
> > 
> > 
> > 
> >
>
-------------------------------------------------------
> > This SF.Net email is sponsored by: NEC IT Guy
> Games.
> >  How far can you
> > shotput
> > a projector? How fast can you ride your desk chair
> > down the office luge
> > track?
> > If you want to score the big prize, get to know
> the
> > little guy.  
> > Play to win an NEC 61" plasma display:
> > http://www.necitguy.com/?r=20
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > 
> > 
> 
> 
> 
> 		
> __________________________________ 
> Discover Yahoo! 
> 
=== message truncated ===



		
__________________________________ 
Discover Yahoo! 
Stay in touch with email, IM, photo sharing and more. Check it out! 
http://discover.yahoo.com/stayintouch.html




More information about the Snort-users mailing list