Hi,
I have a new information about this case. The receiver
mail server is a Merak Mail Server Software 8.0.3.
Does someone know this server? Does it make ICMP
request during the receiving of the e-mail?
Thanks again.
--- Paulo <listassec@yahoo.com> wrote:
Hi Bruce,
Thanks again, for each e-mail sent, the snort
registered many ICMP alerts, and always with three
types differents (ICMP PING *NIX; ICMP PING; ICMP
PING
BSDtype).
Paulo
--- "Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote:
The DF bit indicates that anything transferring
the
packet, such as a router, is not allowed to
fragment
the packet into smaller chucks to get it to it's
destination.
This could be done by PMTU checking, but the
packet
size is quite small for PMTU.
I'm not sure why your server is sending these out.
It looks like you have 3 rules which are logging 1
ping packet. Either that or the packet is being
sent 3 times with identical info.
Bruce
-----Original Message-----
From: Paulo [mailto:listassec@yahoo.com]
Sent: Tuesday, June 07, 2005 10:17 AM
To: Briggs, Bruce; Bob Konigsberg
Cc: Snort.org List
Subject: RE: [Snort-users] Alerts of the ICMP
relationship with smtp connection?
Hi Bruce,
Thanks by help. Below is the snort alerts.
Where 200.201.202.203 is the IP address of the
destination from mail. And 200.201.101.102 is my
IP
Address.
[**] [1:366:7] ICMP PING *NIX [**]
[Classification: Misc activity] [Priority: 3]
05/18-10:27:22.866164 200.201.202.203 ->
200.201.101.102
ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:31252 Seq:1 ECHO
[**] [1:384:5] ICMP PING [**]
[Classification: Misc activity] [Priority: 3]
05/18-10:27:22.866164 200.201.202.203 ->
200.201.101.102
ICMP TTL:54 TOS:0x0 ID:1 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:31252 Seq:1 ECHO
[**] [1:368:6] ICMP PING BSDtype [**]
[Classification: Misc activity] [Priority: 3]
05/18-10:27:23.865467 200.201.202.203 ->
200.201.101.102
ICMP TTL:54 TOS:0x0 ID:2 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:31252 Seq:2 ECHO
[Xref => http://www.whitehats.com/info/IDS152]
The icmp packet is small and the flag DF is set
on.
I was seeing the tcp packet size that my postfix
sends
and it's with 1500 bytes of size.
The DF flag in icmp packet, mean that the
destination
mail server is telling the postfix doesn´t
fragment
packet?
Normally, the mails sends are with CorelDraw files
attachments, almost already with 1 Mb or more.
Thanks by help again.
--- "Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote:
Since these are echo request (ping) ICMP
packets,
they are not likely to
be caused by PMTU checking.
However, some server do a ping prior to sending,
to
make sure that the
far end is up.
You need to inspect the ICMP packet to see if it
is
a big (near 1500
bytes) or small packet, if the do not fragment
bit
is set, etc. to try
to ascertain why this may be sent by the sending
software.
Perhaps you should as the software provider why
it
sends out ICMP
packets.
Bruce
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]
On
Behalf Of Paulo
Sent: Tuesday, June 07, 2005 7:59 AM
To: Bob Konigsberg
Cc: Snort.org List
Subject: RE: [Snort-users] Alerts of the ICMP
relationship with smtp
connection?
Hi Bob,
Thanks by help. The message below is my original
message. After this message, I have searching an
answer to this question.
In a test, I was seeing the maillog of the
postfix
while the postfix sends the mail. Together i was
seeing the alert log of the Snort too.
The alerts on snort are generated exactly while
the
postfix sends mails.
The files that I was seeing is /var/log/maillog
and
/var/log/snort/alert.
I think that the alerts are harmless traffic,
but
i'd
like to understand why it's generated.
Thanks by help again.
ORIGINAL MESSAGE:
I am using Snort version Version 2.3.2 (Build
12).
I have in my snort logs the alerts:
366 - ICMP Ping *nix
384 - ICMP Ping
368 - Ping BSDtype
I investigated my others systems logs and in the
time
that this alert is recorded is the same that
registered smtp connection in the maillog
arquive
from
my postfix server.
The source IP address in snort's log is equal
the
destination IP address in the maillog to smtp
connection.
This alerts can to be generated by my mail
server
when
it sends mails?
This alerts is a false positive?
Thanks by help
--- Bob Konigsberg <bobkberg@networkeval.com>
wrote:
ICMP type 8 is an echo request - someone is
trying
to ping you - probably in
an attempt to map out your network.
Bob
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]
On
Behalf Of Paulo
Sent: Monday, June 06, 2005 12:51 PM
To: Frank Knobbe
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
