From: Mark Hutchings (mark@desynergy.com)
Date: 11/13/02

Next message: Jason Clinton: "Re: cdrom won't mount with var. files"
Previous message: Duane Attaway: "Re: cdrom won't mount with var. files"
In reply to: Hanasaki JiJi: "SNORT bad ICMP on internal network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Message-ID: <1037218909.3dd2b45d9763a@webmail.desynergy.com>
Date: Wed, 13 Nov 2002 14:18:11 -0600
From: Mark Hutchings <mark@desynergy.com>
Subject: Re: SNORT bad ICMP on internal network

Your log links you to a web page that explains it.

http://www.whitehats.com/info/IDS247

Quoting Hanasaki JiJi <hanasaki@hanaden.com>:

> The below is from snort running on 192.168.1.200 and talking to
> 192.168.1.1 <linux firewall/router> Any ideas as to what could be
> causing this? I even tried turning off all internal iptables. Nothing
> improved.
> BAD TRAFFIC & MISC Large UDP Packet
>
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:01:48.780376 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2721 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x0 Frag Size: 0x5C8
>
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:05.328939 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2722 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x0 Frag Size: 0x5C8
>
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:51.626293 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2723 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x0 Frag Size: 0x5C8
>
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:51.782650 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2724 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x2E4 Frag Size: 0x5C8
>
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:51.782684 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2724 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x22B Frag Size: 0x5C8
>
>
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.871859 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19805 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
>
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.878832 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19806 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
>
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.929488 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19807 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
>
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.936608 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19808 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
>
>
>
>
>

Next message: Jason Clinton: "Re: cdrom won't mount with var. files"
Previous message: Duane Attaway: "Re: cdrom won't mount with var. files"
In reply to: Hanasaki JiJi: "SNORT bad ICMP on internal network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]