[Snort-users] Alerts of the ICMP relationship with smtp connection?

Paulo listassec at ...131...
Fri Jun 10 05:45:35 EDT 2005


Hi,

I have a new information about this case. The receiver
mail server is a Merak Mail Server Software 8.0.3.

Does someone know this server? Does it make ICMP
request during the receiving of the e-mail?

Thanks again.

--- Paulo <listassec at ...131...> wrote:

> Hi Bruce,
> 
> Thanks again, for each e-mail sent, the snort
> registered many ICMP alerts, and always with three
> types differents (ICMP PING *NIX; ICMP PING; ICMP
> PING
> BSDtype).
> 
> Paulo
> 
> --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> 
> > The DF bit indicates that anything transferring
> the
> > packet, such as a router, is not allowed to
> fragment
> > the packet into smaller chucks to get it to it's
> > destination.
> > This could be done by PMTU checking, but the
> packet
> > size is quite small for PMTU.
> > 
> > I'm not sure why your server is sending these out.
> > 
> > It looks like you have 3 rules which are logging 1
> > ping packet.  Either that or the packet is being
> > sent 3 times with identical info.
> > 
> > Bruce
> > 
> > -----Original Message-----
> > From: Paulo [mailto:listassec at ...131...] 
> > Sent: Tuesday, June 07, 2005 10:17 AM
> > To: Briggs, Bruce; Bob Konigsberg
> > Cc: Snort.org List
> > Subject: RE: [Snort-users] Alerts of the ICMP
> > relationship with smtp connection?
> > 
> > Hi Bruce,
> > 
> > Thanks by help. Below is the snort alerts.
> > Where 200.201.202.203 is the IP address of the
> > destination from mail. And 200.201.101.102 is my
> IP
> > Address. 
> > 
> > [**] [1:366:7] ICMP PING *NIX [**]
> > [Classification: Misc activity] [Priority: 3] 
> > 05/18-10:27:22.866164 200.201.202.203 ->
> > 200.201.101.102
> > ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
> > Type:8 Code:0 ID:31252 Seq:1 ECHO
> > 
> > [**] [1:384:5] ICMP PING [**]
> > [Classification: Misc activity] [Priority: 3] 
> > 05/18-10:27:22.866164 200.201.202.203 ->
> > 200.201.101.102
> > ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
> > Type:8 Code:0 ID:31252 Seq:1 ECHO 
> > 
> > [**] [1:368:6] ICMP PING BSDtype [**]
> > [Classification: Misc activity] [Priority: 3] 
> > 05/18-10:27:23.865467 200.201.202.203 ->
> > 200.201.101.102
> > ICMP TTL:54 TOS:0x0 ID:2 IpLen:20 DgmLen:84 DF
> > Type:8 Code:0 ID:31252 Seq:2 ECHO
> > [Xref => http://www.whitehats.com/info/IDS152] 
> > 
> > The icmp packet is small and the flag DF is set
> on.
> > I was seeing the tcp packet size that my postfix
> > sends
> > and it's with 1500 bytes of size.
> > The DF flag in icmp packet, mean that the
> > destination
> > mail server is telling the postfix doesn´t
> fragment
> > packet?
> > 
> > Normally, the mails sends are with CorelDraw files
> > attachments, almost already with 1 Mb or more.
> > 
> > Thanks by help again.
> > 
> > 
> > --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> > 
> > > Since these are echo request (ping) ICMP
> packets,
> > > they are not likely to
> > > be caused by PMTU checking.
> > > However, some server do a ping prior to sending,
> > to
> > > make sure that the
> > > far end is up.
> > > 
> > > You need to inspect the ICMP packet to see if it
> > is
> > > a big (near 1500
> > > bytes) or small packet, if the do not fragment
> bit
> > > is set, etc. to try
> > > to ascertain why this may be sent by the sending
> > > software.
> > > 
> > > Perhaps you should as the software provider why
> it
> > > sends out ICMP
> > > packets.
> > > 
> > > Bruce
> > > 
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto:snort-users-admin at lists.sourceforge.net]
> > On
> > > Behalf Of Paulo
> > > Sent: Tuesday, June 07, 2005 7:59 AM
> > > To: Bob Konigsberg
> > > Cc: Snort.org List
> > > Subject: RE: [Snort-users] Alerts of the ICMP
> > > relationship with smtp
> > > connection?
> > > 
> > > Hi Bob,
> > > 
> > > Thanks by help. The message below is my original
> > > message. After this message, I have searching an
> > > answer to this question.
> > > 
> > > In a test, I was seeing the maillog of the
> postfix
> > > while the postfix sends the mail. Together i was
> > > seeing the alert log of the Snort too.
> > > 
> > > The alerts on snort are generated exactly while
> > the
> > > postfix sends mails.
> > > 
> > > The files that I was seeing is /var/log/maillog
> > and
> > > /var/log/snort/alert.
> > >  
> > > I think that the alerts are harmless traffic,
> but
> > > i'd
> > > like to understand why it's generated.
> > > 
> > > Thanks by help again.
> > > 
> > > 
> > > ORIGINAL MESSAGE:
> > > I am using Snort version  Version 2.3.2 (Build
> > > 12).
> > > I have in my snort logs the alerts:
> > > 
> > > 366 - ICMP Ping *nix
> > > 384 - ICMP Ping
> > > 368 - Ping BSDtype
> > >  
> > > I investigated my others systems logs and in the
> > > time
> > > that this alert is recorded is the same that
> > > registered smtp connection in the maillog
> arquive
> > > from
> > > my postfix server.
> > > 
> > > The source IP address in snort's log is equal
> the
> > > destination IP address in the maillog to smtp
> > > connection.
> > >  
> > > This alerts can to be generated by my mail
> server
> > > when
> > > it sends mails?
> > >  
> > > This alerts is a false positive?
> > >  
> > > Thanks by help
> > > 
> > > 
> > > --- Bob Konigsberg <bobkberg at ...12746...>
> > wrote:
> > > 
> > > > ICMP type 8 is an echo request - someone is
> > trying
> > > > to ping you - probably in
> > > > an attempt to map out your network.
> > > > 
> > > > Bob 
> > > > 
> > > > -----Original Message-----
> > > > From: snort-users-admin at lists.sourceforge.net
> > > >
> [mailto:snort-users-admin at lists.sourceforge.net]
> > > On
> > > > Behalf Of Paulo
> > > > Sent: Monday, June 06, 2005 12:51 PM
> > > > To: Frank Knobbe
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-users mailing list