[Snort-users] Alerts of the ICMP relationship with smtp connection?

Paulo listassec at ...131...
Wed Jun 8 05:08:54 EDT 2005


Hi Bruce,

Thanks again, for each e-mail sent, the snort
registered many ICMP alerts, and always with three
types differents (ICMP PING *NIX; ICMP PING; ICMP PING
BSDtype).

Paulo

--- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:

> The DF bit indicates that anything transferring the
> packet, such as a router, is not allowed to fragment
> the packet into smaller chucks to get it to it's
> destination.
> This could be done by PMTU checking, but the packet
> size is quite small for PMTU.
> 
> I'm not sure why your server is sending these out.
> 
> It looks like you have 3 rules which are logging 1
> ping packet.  Either that or the packet is being
> sent 3 times with identical info.
> 
> Bruce
> 
> -----Original Message-----
> From: Paulo [mailto:listassec at ...131...] 
> Sent: Tuesday, June 07, 2005 10:17 AM
> To: Briggs, Bruce; Bob Konigsberg
> Cc: Snort.org List
> Subject: RE: [Snort-users] Alerts of the ICMP
> relationship with smtp connection?
> 
> Hi Bruce,
> 
> Thanks by help. Below is the snort alerts.
> Where 200.201.202.203 is the IP address of the
> destination from mail. And 200.201.101.102 is my IP
> Address. 
> 
> [**] [1:366:7] ICMP PING *NIX [**]
> [Classification: Misc activity] [Priority: 3] 
> 05/18-10:27:22.866164 200.201.202.203 ->
> 200.201.101.102
> ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
> Type:8 Code:0 ID:31252 Seq:1 ECHO
> 
> [**] [1:384:5] ICMP PING [**]
> [Classification: Misc activity] [Priority: 3] 
> 05/18-10:27:22.866164 200.201.202.203 ->
> 200.201.101.102
> ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
> Type:8 Code:0 ID:31252 Seq:1 ECHO 
> 
> [**] [1:368:6] ICMP PING BSDtype [**]
> [Classification: Misc activity] [Priority: 3] 
> 05/18-10:27:23.865467 200.201.202.203 ->
> 200.201.101.102
> ICMP TTL:54 TOS:0x0 ID:2 IpLen:20 DgmLen:84 DF
> Type:8 Code:0 ID:31252 Seq:2 ECHO
> [Xref => http://www.whitehats.com/info/IDS152] 
> 
> The icmp packet is small and the flag DF is set on.
> I was seeing the tcp packet size that my postfix
> sends
> and it's with 1500 bytes of size.
> The DF flag in icmp packet, mean that the
> destination
> mail server is telling the postfix doesn´t fragment
> packet?
> 
> Normally, the mails sends are with CorelDraw files
> attachments, almost already with 1 Mb or more.
> 
> Thanks by help again.
> 
> 
> --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> 
> > Since these are echo request (ping) ICMP packets,
> > they are not likely to
> > be caused by PMTU checking.
> > However, some server do a ping prior to sending,
> to
> > make sure that the
> > far end is up.
> > 
> > You need to inspect the ICMP packet to see if it
> is
> > a big (near 1500
> > bytes) or small packet, if the do not fragment bit
> > is set, etc. to try
> > to ascertain why this may be sent by the sending
> > software.
> > 
> > Perhaps you should as the software provider why it
> > sends out ICMP
> > packets.
> > 
> > Bruce
> > 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]
> On
> > Behalf Of Paulo
> > Sent: Tuesday, June 07, 2005 7:59 AM
> > To: Bob Konigsberg
> > Cc: Snort.org List
> > Subject: RE: [Snort-users] Alerts of the ICMP
> > relationship with smtp
> > connection?
> > 
> > Hi Bob,
> > 
> > Thanks by help. The message below is my original
> > message. After this message, I have searching an
> > answer to this question.
> > 
> > In a test, I was seeing the maillog of the postfix
> > while the postfix sends the mail. Together i was
> > seeing the alert log of the Snort too.
> > 
> > The alerts on snort are generated exactly while
> the
> > postfix sends mails.
> > 
> > The files that I was seeing is /var/log/maillog
> and
> > /var/log/snort/alert.
> >  
> > I think that the alerts are harmless traffic, but
> > i'd
> > like to understand why it's generated.
> > 
> > Thanks by help again.
> > 
> > 
> > ORIGINAL MESSAGE:
> > I am using Snort version  Version 2.3.2 (Build
> > 12).
> > I have in my snort logs the alerts:
> > 
> > 366 - ICMP Ping *nix
> > 384 - ICMP Ping
> > 368 - Ping BSDtype
> >  
> > I investigated my others systems logs and in the
> > time
> > that this alert is recorded is the same that
> > registered smtp connection in the maillog arquive
> > from
> > my postfix server.
> > 
> > The source IP address in snort's log is equal the
> > destination IP address in the maillog to smtp
> > connection.
> >  
> > This alerts can to be generated by my mail server
> > when
> > it sends mails?
> >  
> > This alerts is a false positive?
> >  
> > Thanks by help
> > 
> > 
> > --- Bob Konigsberg <bobkberg at ...12746...>
> wrote:
> > 
> > > ICMP type 8 is an echo request - someone is
> trying
> > > to ping you - probably in
> > > an attempt to map out your network.
> > > 
> > > Bob 
> > > 
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto:snort-users-admin at lists.sourceforge.net]
> > On
> > > Behalf Of Paulo
> > > Sent: Monday, June 06, 2005 12:51 PM
> > > To: Frank Knobbe
> > > Cc: Snort.org List
> > > Subject: Re: [Snort-users] Alerts of the ICMP
> > > relationship with smtp
> > > connection?
> > > 
> > > Thanks Frank,
> > > 
> > > How can I to confirm this? The alerts are ICMP
> > type
> > > 8.
> > > 
> > > 
> > > Thanks by help again.
> > > 
> > > --- Frank Knobbe <frank at ...9761...> wrote:
> > > 
> > > > On Mon, 2005-05-30 at 13:40 -0700, Paulo
> wrote:
> > > > > I didn't solve this yet. Please, anyone can
> > help
> > > > me?
> > > > 
> > > > Maybe you didn't get responses because it's
> not
> > a
> > > Snort related issue.
> > > > 
> 
=== message truncated ===



		
__________________________________ 
Discover Yahoo! 
Stay in touch with email, IM, photo sharing and more. Check it out! 
http://discover.yahoo.com/stayintouch.html




More information about the Snort-users mailing list