Snort mailing list archives
RE: Alerts of the ICMP relationship with smtp connection?
From: Paulo <listassec () yahoo com>
Date: Tue, 7 Jun 2005 04:58:35 -0700 (PDT)
Hi Bob, Thanks by help. The message below is my original message. After this message, I have searching an answer to this question. In a test, I was seeing the maillog of the postfix while the postfix sends the mail. Together i was seeing the alert log of the Snort too. The alerts on snort are generated exactly while the postfix sends mails. The files that I was seeing is /var/log/maillog and /var/log/snort/alert. I think that the alerts are harmless traffic, but i'd like to understand why it's generated. Thanks by help again. ORIGINAL MESSAGE: I am using Snort version Version 2.3.2 (Build 12). I have in my snort logs the alerts: 366 - ICMP Ping *nix 384 - ICMP Ping 368 - Ping BSDtype I investigated my others systems logs and in the time that this alert is recorded is the same that registered smtp connection in the maillog arquive from my postfix server. The source IP address in snort's log is equal the destination IP address in the maillog to smtp connection. This alerts can to be generated by my mail server when it sends mails? This alerts is a false positive? Thanks by help --- Bob Konigsberg <bobkberg () networkeval com> wrote:
ICMP type 8 is an echo request - someone is trying to ping you - probably in an attempt to map out your network. Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paulo Sent: Monday, June 06, 2005 12:51 PM To: Frank Knobbe Cc: Snort.org List Subject: Re: [Snort-users] Alerts of the ICMP relationship with smtp connection? Thanks Frank, How can I to confirm this? The alerts are ICMP type 8. Thanks by help again. --- Frank Knobbe <frank () knobbe us> wrote:On Mon, 2005-05-30 at 13:40 -0700, Paulo wrote:I didn't solve this yet. Please, anyone can helpme? Maybe you didn't get responses because it's not aSnort related issue.To answer your question, read up on Path MaximumTransmit Unit (PMTU)Discovery by googling it. Here a couple links thatGoogle spit outright away. http://www.netheaven.com/pmtu.html which also references ftp://ftp.rfc-editor.org/in-notes/rfc1191.txt While you are learning about PTMU, please reviewyour firewall ruleset and make sure you don't block ALL inbound ICMPpackets. Please letat least type 3 and type 11 ICMP packets through. (Hint: The remote mail servers are sending a largeICMP packet inorder to discover the MTU between them and you. Itis harmlesstraffic.) Hope that helps, Frank__________________________________ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________
Discover Yahoo!
Use Yahoo! to plan a weekend, have fun online and more. Check it out!
http://discover.yahoo.com/
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts of the ICMP relationship with smtp connection? Paulo (May 24)
- Re: Alerts of the ICMP relationship with smtp connection? Matt Jonkman (May 24)
- <Possible follow-ups>
- Re: Alerts of the ICMP relationship with smtp connection? Paulo (May 24)
- Re: Alerts of the ICMP relationship with smtp connection? Paulo (May 30)
- Re: Alerts of the ICMP relationship with smtp connection? Frank Knobbe (May 31)
- Re: Alerts of the ICMP relationship with smtp connection? Paulo (Jun 06)
- Re: Alerts of the ICMP relationship with smtp connection? Frank Knobbe (May 31)
- RE: Alerts of the ICMP relationship with smtp connection? Paulo (Jun 07)
- RE: Alerts of the ICMP relationship with smtp connection? Briggs, Bruce (Jun 07)
- RE: Alerts of the ICMP relationship with smtp connection? Paulo (Jun 07)
- RE: Alerts of the ICMP relationship with smtp connection? Briggs, Bruce (Jun 07)
- Snort Inline again.... Xavier Cabrera (Jun 07)
- RE: Alerts of the ICMP relationship with smtp connection? Paulo (Jun 08)
- RE: Alerts of the ICMP relationship with smtp connection? Paulo (Jun 10)