From owner-freebsd-security Fri Jan 31 4: 3:35 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 411D237B443 for ; Fri, 31 Jan 2003 04:03:32 -0800 (PST) Received: from mx6.mail.ru (mx6.mail.ru [194.67.57.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8918043E4A for ; Fri, 31 Jan 2003 04:03:31 -0800 (PST) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (port=4461 helo=194.84.56.194) by mx6.mail.ru with esmtp id 18eZtJ-000Dnf-00 for freebsd-security@freebsd.org; Fri, 31 Jan 2003 15:03:29 +0300 Date: Fri, 31 Jan 2003 15:05:12 +0300 From: dawnshade X-Mailer: The Bat! (v1.62 Christmas Edition) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <74365074589.20030131150512@mail.ru> To: freebsd-security@freebsd.org Subject: strange packets MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All, Sometimes i see in alert log Snort this records: ------------------------ [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/29/03-23:34:34.582889 212.68.201.5 -> my.net.56.160 ICMP TTL:47 TOS:0x0 ID:61571 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.net.56.160:12709 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:3455 IpLen:20 DgmLen:40 *2U***SF Seq: 0x54800000 Ack: 0x105A3E Win: 0x0 TcpLen: 40 ** END OF DUMP [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/30/03-03:38:34.722373 212.68.201.5 -> my.net.56.163 ICMP TTL:47 TOS:0x0 ID:55712 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.net.56.163:2058 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:256 IpLen:20 DgmLen:40 12UAPRS* Seq: 0x14A80000 Ack: 0x24439 Win: 0x0 TcpLen: 36 ** END OF DUMP [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/30/03-04:30:45.313200 212.68.201.5 -> my.net.56.151 ICMP TTL:47 TOS:0x0 ID:5550 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.net.56.151:28011 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:256 IpLen:20 DgmLen:40 *2*APRSF Seq: 0x38E60000 Ack: 0x50180F Win: 0x0 TcpLen: 12 ** END OF DUMP [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/30/03-04:53:32.286139 212.68.201.5 -> my.router.246.1 ICMP TTL:47 TOS:0x20 ID:45640 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.router.246.1:28163 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:256 IpLen:20 DgmLen:40 1*U***S* Seq: 0x1CC40000 Ack: 0x40F437 Win: 0x0 TcpLen: 44 ** END OF DUMP ------------------------ Why the 212.68.201.5 sends reply to broadcasts and some strange flags in packet?? No more activites in log file from this ip i didn't found. Snort 1.9.0, FreeBSD 4.5 Release #0. -- ...The daemons find works for the idle hands.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message