General discussion

Locked

Snort Results

By danielle ·
I recently setup Snort. In the log our external IP Address remains the same but their IP Address increments by 1 from x.x.x.1 - x.x.x.254. Any idea of what is occurring?

[**] [1:486:2] ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
07/29-15:19:18.469870 0:9:E8:29:9E:A0 -> 0:9:E8:39:E7:EC type:0x800 len:0x46
134.130.198.63 -> X.X.X.146 ICMP TTL:237 TOS:0x0 ID:6424 IpLen:20 DgmLen:56 DF
Type Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED
** ORIGINAL DATAGRAM DUMP:
X.X.X.146:49589 -> 134.130.198.63:137 UDP TTL:111 TOS:0x0 ID:5060 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP

[**] [1:486:2] ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
07/29-15:19:18.621320 0:9:E8:29:9E:A0 -> 0:9:E8:39:E7:EC type:0x800 len:0x46
134.130.198.64 -> X.X.X.146 ICMP TTL:237 TOS:0x0 ID:18881 IpLen:20 DgmLen:56 DF
Type Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED
** ORIGINAL DATAGRAM DUMP:
X.X.X.146:49589 -> 134.130.198.64:137 UDP TTL:111 TOS:0x0 ID:6852 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP

[**] [1:486:2] ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
07/29-15:19:18.771442 0:9:E8:29:9E:A0 -> 0:9:E8:39:E7:EC type:0x800 len:0x46
134.130.198.65 -> X.X.X.146 ICMP TTL:237 TOS:0x0 ID:6425 IpLen:20 DgmLen:56 DF
Type Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED
** ORIGINAL DATAGRAM DUMP:
X.X.X.146:49589 -> 134.130.198.65:137 UDP TTL:111 TOS:0x0 ID:9668 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Snort Results

by Joseph Moore In reply to Snort Results

Well, to me it looks like your have ICMP disabled at your firewall. And the attacker was trying to probably PING you.
I think that the source IP address is being spoofed, so that each ICMP packet were being sent from a different source IP, in an attempt at making it harder for an IDS to pick up that a single attacker were doing this.
So, the attacker put in the 134.130.198.0 address space (registered to a company in Germany) to spoof their origination IP.

Anyway, that is what it looks like to me.

Collapse -

Snort Results

by Joseph Moore In reply to Snort Results

Well, to me it looks like your have ICMP disabled at your firewall. And the attacker was trying to probably PING you.
I think that the source IP address is being spoofed, so that each ICMP packet were being sent from a different source IP, in an attempt at making it harder for an IDS to pick up that a single attacker were doing this.
So, the attacker put in the 134.130.198.0 address space (registered to a company in Germany) to spoof their origination IP.

Anyway, that is what it looks like to me.

Collapse -

Snort Results

by lenz.rudiger In reply to Snort Results

Well someone is checking port 137 (mapping).

This is normally Network Basic Input Output System name service, used by SMB file and print sharing.

In the trace it's always the same IP address, but she/he is probably hiding behind one of those addresses.

Back to Security Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums