Snort mailing list archives
RE: ICMP L3retriever Ping?
From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Thu, 30 Aug 2001 07:53:21 -0400
I have discovered that Windows 2000 clients match this pattern when requesting ICMP echo's. -Joshua Wright Team Leader, Networks and Systems Johnson & Wales University Joshua.Wright () jwu edu -----Original Message----- From: Barton Hodges [mailto:barton () gcmcomputers com] Sent: Wednesday, August 29, 2001 10:10 PM To: snort-users () lists sourceforge net Subject: [Snort-users] ICMP L3retriever Ping? Hi, I just started using snort, and I am seeing alot of the following types of packets coming to/from one of our machines. The machine runs DNS, SMTP, and SSH mostly visible to the outside. Are these log entries typical? Could anybody explain them to me? What is the best method of finding out which process is causing these types of packets? Thanks for all the help. [**] ICMP L3retriever Ping [**] 08/15/01-16:06:08.029593 219.171.139.23 -> 219.171.139.24 ICMP TTL:31 TOS:0x0 ID:32504 IpLen:20 DgmLen:60 Type:8 Code:0 ID:2046 Seq:2281 ECHO 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 ABCDEFGHIJKLMNOP 51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49 QRSTUVWABCDEFGHI [**] MISC Large ICMP Packet [**] 08/15/01-16:54:40.265443 219.171.139.23 -> <other external ip> ICMP TTL:255 TOS:0x0 ID:35085 IpLen:20 DgmLen:1500 Type:0 Code:0 ID:0 Seq:0 ECHO REPLY 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ <snip> [**] SCAN Proxy attempt [**] 08/15/01-23:14:42.608117 219.171.139.23:62276 -> <other external ip>:8080 TCP TTL:127 TOS:0x0 ID:17682 IpLen:20 DgmLen:48 DF ******S* Seq: 0x5DC7D9B6 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [**] MISC TCP port 0 traffic [**] 08/15/01-20:58:09.809308 <other external ip> -> 219.171.139.23:25 TCP TTL:116 TOS:0x0 ID:51534 IpLen:20 DgmLen:44 DF ******S* Seq: 0x6775A66 Ack: 0x0 Win: 0x2000 TcpLen: 24 TCP Options (1) => MSS: 1460 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP L3retriever Ping? Barton Hodges (Aug 29)
- RE: ICMP L3retriever Ping? John Berkers (Aug 30)
- Re: ICMP L3retriever Ping? Chris Keladis (Aug 30)
- <Possible follow-ups>
- RE: ICMP L3retriever Ping? Joshua Wright (Aug 30)
- RE: ICMP L3retriever Ping? John Berkers (Aug 30)