Snort - what does this mean?
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Snort - what does this mean?

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    12

    Snort - what does this mean?

    Hi guys,

    I installed snort on my computer a while ago, and today I decided to take a look in
    the snort log-files.

    I found this line:

    15:13:02.147356 213.66.247.247 > 172.16.0.20: icmp: host 217.209.203.66 unreachable (DF)
    15:13:05.371134 213.66.247.247 > 172.16.0.20: icmp: host 217.209.203.66 unreachable (DF)
    15:13:11.957263 213.66.247.247 > 172.16.0.20: icmp: host 217.209.203.66 unreachable (DF)

    I use NAT on my FW, my internal addresses are 172.16.0.0/24, 213.66.247.247 and
    217.209.203.66 are the ones I am curious about.

    Does this mean that someone is pinging/probing my computer spoofing the reply address, or something like that?

  2. #2
    Junior Member
    Join Date
    Oct 2002
    Posts
    12

    Snort - what does this mean?

    Hi guys,

    I installed snort on my computer a while ago, and today I decided to take a look in
    the snort log-files.

    I found this line:

    15:13:02.147356 213.66.247.247 > 172.16.0.20: icmp: host 217.209.203.66 unreachable (DF)
    15:13:05.371134 213.66.247.247 > 172.16.0.20: icmp: host 217.209.203.66 unreachable (DF)
    15:13:11.957263 213.66.247.247 > 172.16.0.20: icmp: host 217.209.203.66 unreachable (DF)

    I use NAT on my FW, my internal addresses are 172.16.0.0/24, 213.66.247.247 and
    217.209.203.66 are the ones I am curious about.

    Does this mean that someone is pinging/probing my computer spoofing the reply address, or something like that?

  3. #3
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888
    I am not positive, but, these IPs could be something it is looking for rather than finding. You probably already have this link, but....

    http://www.snort.org/docs/
    I have a question; are you the bug, or the windshield?

  4. #4
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888
    I am not positive, but, these IPs could be something it is looking for rather than finding. You probably already have this link, but....

    http://www.snort.org/docs/
    I have a question; are you the bug, or the windshield?

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    There is a router whose IP address is 213.66.247.247 which is telling internal host 172.16.0.20 that host 217.209.203.66 is unreachable.

    This is presumably as a result of the internal machine trying to contact that IP in some way- for example a web server running there.

    unreachable typically means that that IP either is unassigned (there is no route at all there), is temporarily unavailable (for instance the only route there is down), or communication with it is denied by policy (i.e. a firewall)

    This is perfectly normal, happens a lot and I'm not sure why snort is logging it. Have you tuned your snort.conf properly?

    An IDS is not an install-and-forget piece of software, it requires tuning. A well tuned IDS is a good thing, a badly tuned IDS is useless.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    There is a router whose IP address is 213.66.247.247 which is telling internal host 172.16.0.20 that host 217.209.203.66 is unreachable.

    This is presumably as a result of the internal machine trying to contact that IP in some way- for example a web server running there.

    unreachable typically means that that IP either is unassigned (there is no route at all there), is temporarily unavailable (for instance the only route there is down), or communication with it is denied by policy (i.e. a firewall)

    This is perfectly normal, happens a lot and I'm not sure why snort is logging it. Have you tuned your snort.conf properly?

    An IDS is not an install-and-forget piece of software, it requires tuning. A well tuned IDS is a good thing, a badly tuned IDS is useless.

  7. #7
    Junior Member
    Join Date
    Oct 2002
    Posts
    12
    Hi Slarty,

    I tried to look at the snort logfile using tethereal instead of tcpdump, and using that tool everything looked okay. Meaning that it was just a host unreachable "thing", just like you said, perfectly normal.

    I am pretty new at using Snort, or rather - I haven't looked much at how to tune and setup configuration files and rules, and what's inside the logfiles, but I have been running it for a while. I am just now trying to understand the context of the logfiles, and how to setup and define rulesets.

    Thanks!

  8. #8
    Junior Member
    Join Date
    Oct 2002
    Posts
    12
    Hi Slarty,

    I tried to look at the snort logfile using tethereal instead of tcpdump, and using that tool everything looked okay. Meaning that it was just a host unreachable "thing", just like you said, perfectly normal.

    I am pretty new at using Snort, or rather - I haven't looked much at how to tune and setup configuration files and rules, and what's inside the logfiles, but I have been running it for a while. I am just now trying to understand the context of the logfiles, and how to setup and define rulesets.

    Thanks!

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Very good points Slarty.

    Ostefan, if you will look at the rules directory (there should have been a tarball that when you untar it, it will create a directory (rules under your installation directory), and in that directory are various classifications of attacks/informative type things. This is where you look to turn rules on/off (for example, you might not care that you are getting ICMP unreachables, (i think, not 100% sure on this, I don't use snort very often), there will be something to the effect of an icmp.conf (grep -i icmp rules/* that will tell you for sure), if you don't want a signature there, comment out the line (i think a '#' works, not 100% sure on that either). If you aren't interested in an entire series of rules (for example, maybe the web ones since you aren't running a web server), just move the entire .conf file to the preceding directory).

    Anytime you make changes to the configuration file, you will need to restart snort. My suggestion would be to look at the log file, in the log file you will see (usually) a reference to a CVE article, follow the link and read about it (if you don't understand what it is talking about, do a google search, usually more than enough information out there, securityfocus.com is a good place to look, so is cert.org). Based on what the article tells you, decide whether you think it is important or not (or decide if all of the reports you are seeing are false positives), and if so, turn the check off. A false positive would be something that triggers the signature to report that something bad has happened when it really hasn't (yes, there are plenty of poorly written signatures that would cause this to happen). Eventually after much work, you will get a configuration that only reports the very serious problems and doesn't bug you about the things that you should worry about (like the icmp unreachable).

    Also, don't forget to periodically check back at snort.org for updated signatures (minimum of every couple of weeks), otherwise you will be missing the attacks that you are most likely to see.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Very good points Slarty.

    Ostefan, if you will look at the rules directory (there should have been a tarball that when you untar it, it will create a directory (rules under your installation directory), and in that directory are various classifications of attacks/informative type things. This is where you look to turn rules on/off (for example, you might not care that you are getting ICMP unreachables, (i think, not 100% sure on this, I don't use snort very often), there will be something to the effect of an icmp.conf (grep -i icmp rules/* that will tell you for sure), if you don't want a signature there, comment out the line (i think a '#' works, not 100% sure on that either). If you aren't interested in an entire series of rules (for example, maybe the web ones since you aren't running a web server), just move the entire .conf file to the preceding directory).

    Anytime you make changes to the configuration file, you will need to restart snort. My suggestion would be to look at the log file, in the log file you will see (usually) a reference to a CVE article, follow the link and read about it (if you don't understand what it is talking about, do a google search, usually more than enough information out there, securityfocus.com is a good place to look, so is cert.org). Based on what the article tells you, decide whether you think it is important or not (or decide if all of the reports you are seeing are false positives), and if so, turn the check off. A false positive would be something that triggers the signature to report that something bad has happened when it really hasn't (yes, there are plenty of poorly written signatures that would cause this to happen). Eventually after much work, you will get a configuration that only reports the very serious problems and doesn't bug you about the things that you should worry about (like the icmp unreachable).

    Also, don't forget to periodically check back at snort.org for updated signatures (minimum of every couple of weeks), otherwise you will be missing the attacks that you are most likely to see.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •