Snort mailing list archives
RE: trace files filling with ICMP
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sun, 30 Dec 2001 14:23:38 -0000
Umm, hehehe :) Are these ICMP datagrams you are seeing Echo Requests or Replies? Also, are they 1500 bytes long? Also, is one of your systems is running HPUX 11.x or an AIX 4.3.x/5.x? Is the system you query is a DNS of some sort? Cheers Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Phil Wood Sent: ו 28 דצמבר 2001 19:52 To: Sheahan, Paul (PCLN-NW) Cc: 'Phil Wood'; Snort List (E-mail) Subject: Re: [Snort-users] trace files filling with ICMP Look for 10.10.10.10 ->204.71.200.75 around 12/27-00:16:16.967053 in your fast alert file and see what it might say. I think if you run Version 1.8.3 (Build 88), those "icmp" packets might go away. On Fri, Dec 28, 2001 at 12:12:25PM -0500, Sheahan, Paul (PCLN-NW) wrote:
Thanks Phil.....info you requested is below. I am using Snort Version 1.8.1-RELEASE (Build 78) Running Red Hat Linux 7.0 on a Compaq DL360 (x86 architecture) Script I use to start Snort (I use this on all my Snort boxes and it
has
always worked fine): /usr/local/bin/snort -A fast -c /etc/snort/snort.conf -i eth0 -l /var/log/snort -o -N -b -L traces Problem: Even though I have ICMP.RULES and ICMP-INFO.RULES commented out in snort.conf, my "traces" file fills up with ICMP related info, so much
that
the traces file is about 700 meg each day. I am using the latest Snort-current rules from Snort.org and have all of the .RULES files
enabled
except for icmp.rules and icmp-info.rules (I just tried this as a
test).
Note that even though the traces file fills with ICMP info, the actual alerts file does not have any ICMP related alerts. Example from traces file below. Note this is just part of the packet.
For
example, this trace for this particular machine to machine
communication
actually lasts about 10 full screens in the traces file, which is kind
of
odd because normally traces are 15 lines or so. I have seen no Snort
error
messages. Anyone have any ideas on this? In the meantime I will upgrade to the
latest
Snort and Snort rules just to rule out anything there......Thanks.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+
12/27-00:16:16.967053 10.10.10.10 -> 204.71.200.75 ICMP TTL:254 TOS:0x0 ID:30677 IpLen:20 DgmLen:28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Thursday, December 27, 2001 4:15 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] trace files filling with ICMP Normally, when indicating a version one shows the output of the
version
switch (there are numerous 1.8's out there, some which can create malformed packets. Your best bet, in getting help from the list is to have first read the BUGS file, and including the appropriate information from there along with the version: # snort -V to assist others in helping you get a grip. Just because it's Christmas week, I'll ask you to fill in the blanks. An asterisk would be relevant in your case, two asterisks, even more
so:
** Snort version: * System Architecture (Sparc, x86, etc): ** Operating System and version (Linux 2.0.22, IRIX 5.3, etc): ** What rules (if any) you were using: ** What command line switches you were using: * Any Snort error messages: On Wed, Dec 26, 2001 at 06:13:11PM -0500, Sheahan, Paul (PCLN-NW)
wrote:
Hello, I have Snort 1.8 running on Red Hat Linux 7.0. I just downloaded thelatestSnort rules and also installed the latest snort.conf from the
archive. My
trace files are huge (700 meg) and looking in them I see a lot of
traces
like below, though my reports aren't showing any ICMP stuff. For
some
reasonthe trace feature is gathering all ICMP traffic and it's making the
logs
unmanagable. Anyone know how to get rid of this? Thanks!
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+
12/23-00:16:14.370558 10.10.10.10 -> 200.200.200.200 ICMP TTL:254 TOS:0x0 ID:12291 IpLen:20 DgmLen:28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- trace files filling with ICMP Sheahan, Paul (PCLN-NW) (Dec 26)
- Re: trace files filling with ICMP Phil Wood (Dec 27)
- <Possible follow-ups>
- RE: trace files filling with ICMP Sheahan, Paul (PCLN-NW) (Dec 28)
- Re: trace files filling with ICMP Phil Wood (Dec 28)
- RE: trace files filling with ICMP Ofir Arkin (Dec 30)
- Re: trace files filling with ICMP Phil Wood (Dec 28)