SNORT bad ICMP on internal network
Hanasaki JiJi
hanasaki at hanaden.com
Wed Nov 13 19:13:09 CST 2002
The below is from snort running on 192.168.1.200 and talking to
192.168.1.1 <linux firewall/router> Any ideas as to what could be
causing this? I even tried turning off all internal iptables. Nothing
improved.
BAD TRAFFIC & MISC Large UDP Packet
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/13-02:01:48.780376 192.168.1.200 -> 192.168.1.1
UDP TTL:64 TOS:0x0 ID:2721 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x0 Frag Size: 0x5C8
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/13-02:02:05.328939 192.168.1.200 -> 192.168.1.1
UDP TTL:64 TOS:0x0 ID:2722 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x0 Frag Size: 0x5C8
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/13-02:02:51.626293 192.168.1.200 -> 192.168.1.1
UDP TTL:64 TOS:0x0 ID:2723 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x0 Frag Size: 0x5C8
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/13-02:02:51.782650 192.168.1.200 -> 192.168.1.1
UDP TTL:64 TOS:0x0 ID:2724 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x2E4 Frag Size: 0x5C8
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/13-02:02:51.782684 192.168.1.200 -> 192.168.1.1
UDP TTL:64 TOS:0x0 ID:2724 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x22B Frag Size: 0x5C8
[**] [1:521:1] MISC Large UDP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
11/13-07:47:30.871859 192.168.1.1:2049 -> 192.168.1.200:795
UDP TTL:64 TOS:0x0 ID:19805 IpLen:20 DgmLen:8348
Len: 8328
[Xref => http://www.whitehats.com/info/IDS247]
[**] [1:521:1] MISC Large UDP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
11/13-07:47:30.878832 192.168.1.1:2049 -> 192.168.1.200:795
UDP TTL:64 TOS:0x0 ID:19806 IpLen:20 DgmLen:8348
Len: 8328
[Xref => http://www.whitehats.com/info/IDS247]
[**] [1:521:1] MISC Large UDP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
11/13-07:47:30.929488 192.168.1.1:2049 -> 192.168.1.200:795
UDP TTL:64 TOS:0x0 ID:19807 IpLen:20 DgmLen:8348
Len: 8328
[Xref => http://www.whitehats.com/info/IDS247]
[**] [1:521:1] MISC Large UDP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
11/13-07:47:30.936608 192.168.1.1:2049 -> 192.168.1.200:795
UDP TTL:64 TOS:0x0 ID:19808 IpLen:20 DgmLen:8348
Len: 8328
[Xref => http://www.whitehats.com/info/IDS247]
More information about the Kclug
mailing list