Hi All, Installed snort again last night on my inside router (behind a pix) and also installed ACID (http://www.cert.org/kb/acid/) - very slick, if you haven't seen it. Anyway, most of what I saw this morning was pretty run of the mill, but the following seemed kind of odd. Snort trapped it as "MISC Large ICMP Packet", which it was - 1472 bytes of NULL. However, it certainly wasn't a DoS against me, as it only came every several minutes. All the packets were from the same machine (vacuum.cso.uiuc.edu/128.174.5.113), to my mail server. My first assumption was that my IP had been used as one of many in an icmp flood of vacuum.cso.uiuc.edu, but the analysis claims that the packets were actually "Echo Request"s, which I assume means that vacuum was pinging me. Sample packet follows, as well as a summary of all packets. Your advice would be welcome! ------------------------------------------------------------------------------ #(1 - 57) [2001-07-25 18:08:13] [arachNIDS/246] MISC Large ICMP Packet IPv4: 128.174.5.113 -> 163.150.152.247 hlen=5 TOS=0 dlen=1500 ID=12826 flags=0 offset=0 TTL=240 chksum=36953 ICMP: type=Echo Request code=0 checksum=63487 id=0 seq=0 Payload: length = 1472 000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 030 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 040 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 050 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 070 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 080 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 100 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 110 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 120 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 130 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 140 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 150 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 160 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 180 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 190 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 200 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 210 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 220 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 230 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 240 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 250 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 260 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 270 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 280 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 290 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 310 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 320 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 340 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 350 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 360 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 370 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 380 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 400 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 420 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 430 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 440 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 450 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 460 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 470 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 480 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 490 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 500 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 510 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 520 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 530 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 540 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 550 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 560 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 570 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 580 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 590 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 5a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 5b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ------------------------------------------------------------------------------ Generated by ACID v0.9.6b12 on Thu July 26, 2001 07:06:58 #1-57| [2001-07-25 18:08:13] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-72| [2001-07-25 18:10:38] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-82| [2001-07-25 18:14:44] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-97| [2001-07-25 18:18:47] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-100| [2001-07-25 18:21:10] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-101| [2001-07-25 18:21:10] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-119| [2001-07-25 18:39:10] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-133| [2001-07-25 18:45:59] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-150| [2001-07-25 19:11:36] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-151| [2001-07-25 19:14:39] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-165| [2001-07-25 19:24:31] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-166| [2001-07-25 19:24:31] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-225| [2001-07-25 20:42:25] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-235| [2001-07-25 20:48:53] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-244| [2001-07-25 20:56:53] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-253| [2001-07-25 21:06:40] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-256| [2001-07-25 21:12:05] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-264| [2001-07-25 21:19:56] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-277| [2001-07-25 21:32:00] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-309| [2001-07-25 22:00:24] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-313| [2001-07-25 22:05:28] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-314| [2001-07-25 22:05:28] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-333| [2001-07-25 22:29:20] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-342| [2001-07-25 22:32:15] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-350| [2001-07-25 22:40:12] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-834| [2001-07-26 07:02:41] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-458| [2001-07-26 00:46:00] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-789| [2001-07-26 06:58:40] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-784| [2001-07-26 06:47:53] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-778| [2001-07-26 06:42:15] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-775| [2001-07-26 06:40:55] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-565| [2001-07-26 03:04:41] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-762| [2001-07-26 06:27:58] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-753| [2001-07-26 06:23:01] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-585| [2001-07-26 03:26:08] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-751| [2001-07-26 06:20:28] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-738| [2001-07-26 06:12:37] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-727| [2001-07-26 06:00:09] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-639| [2001-07-26 04:34:32] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-657| [2001-07-26 04:51:02] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-660| [2001-07-26 04:58:02] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-667| [2001-07-26 05:00:23] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet #1-668| [2001-07-26 05:02:05] 128.174.5.113 -> 163.150.152.247 [arachNIDS/246] MISC Large ICMP Packet -- Chris Hobbs Silver Valley Unified School District Head geek: Technology Services Coordinator webmaster: http://www.silvervalley.k12.ca.us/~chobbs/ postmaster: chobbsat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 09:09:04 PDT