Snort mailing list archives

Re: (no subject)

From: Jim Brown <jpb () sixshooter v6 thrupoint net>
Date: Mon, 1 Dec 2003 22:19:34 -0500

* CGhercoias () TWEC COM <CGhercoias () TWEC COM> [2003-12-01 13:35]:

Hi,

In the past few days our snort was recording this types of alerts.
Both 177.x.x.x and 177.y.y.y are on the same network segment and are
inside of the company, firewalled from Internet.
In a short period of time (between 2003-11-28 11:11:24 and 2003-11-28
11:26:20 -- 15 minutes), snort recorded roughly 44.000 alerts.
Does anyone know what they mean?

Any help will be appreciated.
Thank you,
Thank you, 
___________________________
Catalin Ghercoias 
WEB/Network Security Administrator 

<<<<<<<<<<<<<<<<<<DATA FROM SNORT>>>>>>>>>>>>>>>>>>>

AlertsGenerated by ACID v0.9.6b23 on Mon,  1 Dec 2003 13:20:39 -0500

------------------------------------------------------------------------
------
#(3 - 1249126) [2003-11-28 11:11:24] [snort/1322]  BAD-TRAFFIC bad frag
bits
IPv4: 177.x.x.x -> 177.y.y.y
      hlen=5 TOS=0 dlen=1500 ID=15379 flags=1 offset=59420 TTL=64
chksum=20975
ICMP: type=Echo Reply code=
      checksum= id= seq=
Payload:  length = 1480

000 : 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47   89:;<=>?@ABCDEFG
010 : 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57   HIJKLMNOPQRSTUVW
020 : 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 64 65 66 67   XYZ[\]^_`abcdefg
030 : 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77   hijklmnopqrstuvw


[snip]

You might check your Cisco logs.  Cisco IOS has the ability
to send ICMP echo request at essentially wire speed.  I've done
them myself for certain kinds of performance testing.

Sounds to me like someone did an 'enable' ping and set various options.

Best Regards,
jpb
===


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: (no subject), (continued)
- Re: (no subject) Ralf Spenneberg (Oct 09)
- (no subject) Dave . Hartley (Oct 15)
- (no subject) Cluett, Russell (Oct 22)
- (no subject) Bob Apthorpe (Oct 28)
- (no subject) Kaplan, Andrew H. (Nov 04)
  - Re: (no subject) Olaf Schreck (Nov 04)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- (no subject) CGhercoias (Dec 01)
  - Message not available
    - Re: (no subject) Matt Kettler (Dec 01)
  - Re: (no subject) Jim Brown (Dec 01)
- (no subject) wfz (Dec 05)
- (no subject) Andrew Sergeyev (Dec 12)
- (no subject) Russell Fulton (Dec 12)
- (no subject) JP Vossen (Dec 19)
- (no subject) Kumar, Manoj (Dec 22)