RE: ICMP L3retriever Ping?

["John Berkers" <berjo () ozemail com au>]

I notice someone has already answered regarding the first signature, I've
made comments on some of the others:

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Barton
> Hodges
> Sent: Thursday, 30 August 2001 12:10
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] ICMP L3retriever Ping?
>
>
> Hi,
>
> I just started using snort, and I am seeing alot of
> the following types of packets coming to/from one of our machines.
>
> The machine runs DNS, SMTP, and SSH mostly visible to the outside.
>
> Are these log entries typical?  Could anybody explain
> them to me?
>
> What is the best method of finding out which process is
> causing these types of packets?
>
> Thanks for all the help.
>
> [**] ICMP L3retriever Ping [**]
> 08/15/01-16:06:08.029593 219.171.139.23 -> 219.171.139.24
> ICMP TTL:31 TOS:0x0 ID:32504 IpLen:20 DgmLen:60
> Type:8  Code:0  ID:2046   Seq:2281  ECHO
> 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50  ABCDEFGHIJKLMNOP
> 51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49  QRSTUVWABCDEFGHI

Comment from Joshua Wright is that this is generated by Win2K boxes.  I have
noticed the same.
> [**] MISC Large ICMP Packet [**]
> 08/15/01-16:54:40.265443 219.171.139.23 -> <other external ip>
> ICMP TTL:255 TOS:0x0 ID:35085 IpLen:20 DgmLen:1500
> Type:0  Code:0  ID:0  Seq:0  ECHO REPLY
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> <snip>
1500 Byte ICMP packets come from HP-UX systems performing some sort of load
balancing act.  We received a whole bunch of them from one network at one
stage, so I queried it with the admin, it can be turned off at the source,
but it might be a bit of a hassle chasing down admins for all of these
systems.  The target system for these packets was our DNS whenever either
mail was being sent, or our web proxy was fulfilling someone's request and
looking up the server address.

> [**] SCAN Proxy attempt [**]
> 08/15/01-23:14:42.608117 219.171.139.23:62276 -> <other external
> ip>:8080
> TCP TTL:127 TOS:0x0 ID:17682 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x5DC7D9B6  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
Someone trying to connect to a proxy server on 8080 (which is a relatively
common port, though not the default for either IIS or Squid).  In this case
it looks as though one of your machines is trying to use the proxy server at
the external address.  You might want to look at your HOME_NET variable in
your snort.conf. This should normally not trigger for outgoing proxy access.

> [**] MISC TCP port 0 traffic [**]
> 08/15/01-20:58:09.809308 <other external ip> -> 219.171.139.23:25
> TCP TTL:116 TOS:0x0 ID:51534 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0x6775A66  Ack: 0x0  Win: 0x2000  TcpLen: 24
> TCP Options (1) => MSS: 1460

Port 0 is not supposed to be used by anything, at least not from my
understanding, though there are some vulnerabilities that can be exploited
(I think).  So port 0 traffic is generally bad.

Hope that clarifies things a bit.

Also, both http://snort.sourcefire.com/ and http://www.whitehats.com/ are
great sources of info.  Check them out.

Regards,

John Berkers                                       ICQ: 112912
Network Services                            Hansen Corporation
john.berkers () hancorp com au               berjo () ozemail com au

> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users