Sounds like a typical udp port 137 broadcast getting sent to the outside. Snort should give the initial packet that is causing the unreach. I see the same thing with dial up users who cant find a wins box. -----Original Message----- From: Grimes, Shawn (NIA/IRP) [mailto:GrimesShat_private] Sent: Wednesday, June 19, 2002 11:18 AM To: 'incidentsat_private' Subject: ICMP Destination Unreachable in SNORT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm getting ICMP Destination Unreachable alerts in SNORT from a dial up user. It seems the original destination IP is to x.x.255.255 (x.x. being the first two octets of our range). The router is filtering these packets (hence why I get the ICMP destination unreachable). My question is, is this a misconfigured box? If so, what is misconfigured? Is this a compromised box? Any ideas? Do you need additional information? Thank You, Shawn Grimes Computer Specialist NCTS - Gerontology Research Center 410-558-8007 grimesshat_private -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPRCgrFKuo2WZJKgKEQKhYQCgrrNFQtRI2UOHQTKpS8rRy53n86UAn12X CiqxqYxDqHSuG9BSqNk/84en =SYVB -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 14:16:25 PDT