RE: ICMP Destination Unreachable in SNORT

From: Robert Buckley (rbuckley@synapsemail.com)
Date: 06/19/02


From: Robert Buckley <rbuckley@synapsemail.com>
To: "'Grimes, Shawn (NIA/IRP)'" <GrimesSh@grc.nia.nih.gov>, "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Wed, 19 Jun 2002 12:32:05 -0400

Sounds like a typical udp port 137 broadcast getting sent to the outside.
Snort should give the initial packet that is causing the unreach.
I see the same thing with dial up users who cant find a wins box.

-----Original Message-----
From: Grimes, Shawn (NIA/IRP) [mailto:GrimesSh@grc.nia.nih.gov]
Sent: Wednesday, June 19, 2002 11:18 AM
To: 'incidents@securityfocus.com'
Subject: ICMP Destination Unreachable in SNORT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm getting ICMP Destination Unreachable alerts in SNORT from a dial
up user. It seems the original destination IP is to x.x.255.255
(x.x. being the first two octets of our range). The router is
filtering these packets (hence why I get the ICMP destination
unreachable). My question is, is this a misconfigured box? If so,
what is misconfigured? Is this a compromised box?

Any ideas? Do you need additional information?

Thank You,
Shawn Grimes
Computer Specialist
NCTS - Gerontology Research Center
410-558-8007
grimessh@grc.nia.nih.gov

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPRCgrFKuo2WZJKgKEQKhYQCgrrNFQtRI2UOHQTKpS8rRy53n86UAn12X
CiqxqYxDqHSuG9BSqNk/84en
=SYVB
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com