Snort mailing list archives
RE: ICMP Destination ... (Port Unreachable) Help
From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Mon, 3 Feb 2003 07:51:17 +0800
Brian, Couple of things need to be clarified here. Where is your sensor location, the destination machine(s), your source host and where is your firewall located...! ICMP messages are usually sent by routing devices and not the destination host as a mean to inform the sender host what is going on. If u want really understand what is going on run " snoop -v -d interface " if u running the sensor on Unix platform (or any other packet capture utility) on the sensor that generated the alert(s) and only then you would find out the original destination IP address. Probably then u could explain why these alerts are generated. Best Regards Ohanes Semerjian -----Original Message----- From: Brian Blake [mailto:BBlake () AmericanBackground com] Sent: Wednesday, 29 January 2003 9:08 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] ICMP Destination ... (Port Unreachable) Help In the past two day's I have had a machine generating over 5k hits a day. The traffic shows up via snort as ICMP Destination Unreachable (Port Unreachable). The machine in question has sent this same traffic two about 10 different address, but both on the same day. I have talked with two other people who know networking and TCP/IP and they are just as stumped. The system is running upto date with McAfee Virusscan 4.51 sp1. Below you will find the info extracted from snort. I researched port 137 scans on Sans Website with no real help. ( http://www.sans.org/resources/idfaq/port_137.php <http://www.sans.org/resources/idfaq/port_137.php> ) Any help is greatly appreciated. (IP's removed to be nice) #(1 - 43761) [2003-01-28 13:23:56] [snort/402] ICMP Destination Unreachable (Port Unreachable) IPv4: ***.***.***.*** -> 192.168.2.17 hlen=5 TOS=192 dlen=106 ID=20950 flags=0 offset=0 TTL=239 chksum=48542 ICMP: type=Destination Unreachable code=Port Unreachable checksum=47270 id= seq= Payload: length = 82 000 : 00 00 00 00 45 00 00 4E EF 8B 00 00 6F 11 A0 B5 ....E..N....o... 010 : C0 A8 02 11 0C 9E EC 06 00 89 00 89 00 3A 83 B9 .............:.. 020 : 81 17 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA 030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..! 050 : 00 01 .. #(1 - 43816) [2003-01-28 13:24:10] [snort/402] ICMP Destination Unreachable (Port Unreachable) IPv4: ***.***.***.*** -> 192.168.2.17 hlen=5 TOS=192 dlen=106 ID=35055 flags=0 offset=0 TTL=250 chksum=57558 ICMP: type=Destination Unreachable code=Port Unreachable checksum=21333 id= seq= Payload: length = 82 000 : 00 00 00 00 45 00 00 4E 5F 80 00 00 7B 11 8A 12 ....E..N_...{... 010 : C0 A8 02 11 50 43 43 10 00 89 00 89 00 3A E8 24 ....PCC......:.$ 020 : 81 FD 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA 030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..! 050 : 00 01 .. Brian Blake PC Technician Information Services American Background Information Services, Inc.
Current thread:
- ICMP Destination ... (Port Unreachable) Help Brian Blake (Jan 28)
- Re: ICMP Destination ... (Port Unreachable) Help Erek Adams (Jan 28)
- <Possible follow-ups>
- RE: ICMP Destination ... (Port Unreachable) Help Semerjian, Ohanes (Feb 02)