SNORT bad ICMP on internal network

[Mark Hutchings]

Your log links you to a web page that explains it.

http://www.whitehats.com/info/IDS247

Quoting Hanasaki JiJi <hanasaki at hanaden.com>:

> The below is from snort running on 192.168.1.200 and talking to
> 192.168.1.1 <linux firewall/router>  Any ideas as to what could be
> causing this?  I even tried turning off all internal iptables.  Nothing
> improved.
> 	BAD TRAFFIC & MISC Large UDP Packet
> 
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:01:48.780376 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2721 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x0   Frag Size: 0x5C8
> 
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:05.328939 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2722 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x0   Frag Size: 0x5C8
> 
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:51.626293 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2723 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x0   Frag Size: 0x5C8
> 
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:51.782650 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2724 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x2E4   Frag Size: 0x5C8
> 
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 11/13-02:02:51.782684 192.168.1.200 -> 192.168.1.1
> UDP TTL:64 TOS:0x0 ID:2724 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x22B   Frag Size: 0x5C8
> 
> 
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.871859 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19805 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
> 
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.878832 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19806 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
> 
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.929488 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19807 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
> 
> [**] [1:521:1] MISC Large UDP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 11/13-07:47:30.936608 192.168.1.1:2049 -> 192.168.1.200:795
> UDP TTL:64 TOS:0x0 ID:19808 IpLen:20 DgmLen:8348
> Len: 8328
> [Xref => http://www.whitehats.com/info/IDS247]
> 
> 
> 
> 
>