Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] ICMP L3retriever Ping?

299 views
Skip to first unread message

Barton Hodges

unread,
Aug 29, 2001, 11:28:53 PM8/29/01
to
Hi,

I just started using snort, and I am seeing alot of
the following types of packets coming to/from one of our machines.

The machine runs DNS, SMTP, and SSH mostly visible to the outside.

Are these log entries typical? Could anybody explain
them to me?

What is the best method of finding out which process is
causing these types of packets?

Thanks for all the help.

[**] ICMP L3retriever Ping [**]
08/15/01-16:06:08.029593 219.171.139.23 -> 219.171.139.24
ICMP TTL:31 TOS:0x0 ID:32504 IpLen:20 DgmLen:60
Type:8 Code:0 ID:2046 Seq:2281 ECHO
41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 ABCDEFGHIJKLMNOP
51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49 QRSTUVWABCDEFGHI

[**] MISC Large ICMP Packet [**]
08/15/01-16:54:40.265443 219.171.139.23 -> <other external ip>
ICMP TTL:255 TOS:0x0 ID:35085 IpLen:20 DgmLen:1500
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
<snip>

[**] SCAN Proxy attempt [**]
08/15/01-23:14:42.608117 219.171.139.23:62276 -> <other external
ip>:8080
TCP TTL:127 TOS:0x0 ID:17682 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5DC7D9B6 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] MISC TCP port 0 traffic [**]
08/15/01-20:58:09.809308 <other external ip> -> 219.171.139.23:25
TCP TTL:116 TOS:0x0 ID:51534 IpLen:20 DgmLen:44 DF
******S* Seq: 0x6775A66 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460

_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Joshua Wright

unread,
Aug 30, 2001, 9:53:47 AM8/30/01
to
I have discovered that Windows 2000 clients match this pattern when
requesting ICMP echo's.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua...@jwu.edu

John Berkers

unread,
Aug 30, 2001, 10:50:53 AM8/30/01
to
I notice someone has already answered regarding the first signature, I've
made comments on some of the others:

>-----Original Message-----
>From: snort-us...@lists.sourceforge.net
>[mailto:snort-us...@lists.sourceforge.net]On Behalf Of Barton
>Hodges
>Sent: Thursday, 30 August 2001 12:10
>To: snort...@lists.sourceforge.net
>Subject: [Snort-users] ICMP L3retriever Ping?
>
>
>Hi,
>
>I just started using snort, and I am seeing alot of
>the following types of packets coming to/from one of our machines.
>
>The machine runs DNS, SMTP, and SSH mostly visible to the outside.
>
>Are these log entries typical? Could anybody explain
>them to me?
>
>What is the best method of finding out which process is
>causing these types of packets?
>
>Thanks for all the help.
>
>[**] ICMP L3retriever Ping [**]
>08/15/01-16:06:08.029593 219.171.139.23 -> 219.171.139.24
>ICMP TTL:31 TOS:0x0 ID:32504 IpLen:20 DgmLen:60
>Type:8 Code:0 ID:2046 Seq:2281 ECHO
>41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 ABCDEFGHIJKLMNOP
>51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49 QRSTUVWABCDEFGHI

Comment from Joshua Wright is that this is generated by Win2K boxes. I have
noticed the same.


>
>[**] MISC Large ICMP Packet [**]
>08/15/01-16:54:40.265443 219.171.139.23 -> <other external ip>
>ICMP TTL:255 TOS:0x0 ID:35085 IpLen:20 DgmLen:1500
>Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
><snip>
>

1500 Byte ICMP packets come from HP-UX systems performing some sort of load
balancing act. We received a whole bunch of them from one network at one
stage, so I queried it with the admin, it can be turned off at the source,
but it might be a bit of a hassle chasing down admins for all of these
systems. The target system for these packets was our DNS whenever either
mail was being sent, or our web proxy was fulfilling someone's request and
looking up the server address.

>[**] SCAN Proxy attempt [**]
>08/15/01-23:14:42.608117 219.171.139.23:62276 -> <other external
>ip>:8080
>TCP TTL:127 TOS:0x0 ID:17682 IpLen:20 DgmLen:48 DF
>******S* Seq: 0x5DC7D9B6 Ack: 0x0 Win: 0x4000 TcpLen: 28
>TCP Options (4) => MSS: 1460 NOP NOP SackOK
>

Someone trying to connect to a proxy server on 8080 (which is a relatively
common port, though not the default for either IIS or Squid). In this case
it looks as though one of your machines is trying to use the proxy server at
the external address. You might want to look at your HOME_NET variable in
your snort.conf. This should normally not trigger for outgoing proxy access.

>[**] MISC TCP port 0 traffic [**]
>08/15/01-20:58:09.809308 <other external ip> -> 219.171.139.23:25
>TCP TTL:116 TOS:0x0 ID:51534 IpLen:20 DgmLen:44 DF
>******S* Seq: 0x6775A66 Ack: 0x0 Win: 0x2000 TcpLen: 24
>TCP Options (1) => MSS: 1460

Port 0 is not supposed to be used by anything, at least not from my
understanding, though there are some vulnerabilities that can be exploited
(I think). So port 0 traffic is generally bad.

Hope that clarifies things a bit.

Also, both http://snort.sourcefire.com/ and http://www.whitehats.com/ are
great sources of info. Check them out.

Regards,

John Berkers ICQ: 112912
Network Services Hansen Corporation
john.b...@hancorp.com.au be...@ozemail.com.au

Chris Keladis

unread,
Aug 30, 2001, 12:22:58 PM8/30/01
to
John Berkers wrote:

> Comment from Joshua Wright is that this is generated by Win2K boxes. I have
> noticed the same.
> >
> >[**] MISC Large ICMP Packet [**]
> >08/15/01-16:54:40.265443 219.171.139.23 -> <other external ip>
> >ICMP TTL:255 TOS:0x0 ID:35085 IpLen:20 DgmLen:1500
> >Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
> >00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> ><snip>
> >
> 1500 Byte ICMP packets come from HP-UX systems performing some sort of load
> balancing act. We received a whole bunch of them from one network at one
> stage, so I queried it with the admin, it can be turned off at the source,
> but it might be a bit of a hassle chasing down admins for all of these
> systems. The target system for these packets was our DNS whenever either
> mail was being sent, or our web proxy was fulfilling someone's request and
> looking up the server address.


I assume those ICMP echo-request packets are generated by HP Openview (a
popular network management application which usually runs atop of
HP/UX).

Using the regular ping command from our HP/UX 11.00 box generated a
regular 64-byte ping (and response).

My guess is HPOV (Network Node Manager specifically) somehow finds
servers around the place and attempts to ping them with this odd ping,
for inclusion in it's poll cycle. (They probably use 1500 byte packets
to do more thorough end-to-end tests, test for MTU size, PMTU,
fragmentation, etc).

Looking at some dumps quickly it seems NNM generates a regular sized
ICMP 'echo-request' however the 'echo-reply' is 1500 bytes long + IP_H.

Very odd.. It's late and i'm lacking sleep, so i wont make any
conclusions tonight :-)


Regards,

Chris.

0 new messages