RE: [Snort-users] exporting snort logs
This is a discussion on RE: [Snort-users] exporting snort logs within the Snort forums, part of the System Security and Security Related category; IIRC, the "content" of ICMP unreachables (of which a "administratively prohibited" is a flavor) should be ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-24-2004
|
|||
|
|||
RE: [Snort-users] exporting snort logs
IIRC, the "content" of ICMP unreachables (of which a "administratively
prohibited" is a flavor) should be the header of the packet that triggered the unreachable message. You can either parse that manually, or (for the lazy among us - which would be me) capture a bunch of the icmp unreachables and look at them in ethereal, which will parse the included header for you. From that you *should* be able to get a fairly good idea of what is being denied. -Joe > -----Original Message----- > From: snort-users-admin@lists.sourceforge.net > [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Endre > Szekely-Bencedi > Sent: Wednesday, November 24, 2004 4:12 AM > To: snort-users@lists.sourceforge.net > Cc: Andras Kalmar; Basselgia, Barry A Mr (NAF Atsugi) > Subject: RE: [Snort-users] exporting snort logs > > > > Hi, thanks for the reply. > The idea is that before contacting those people I should know why these > machines are trying to pass that router. :) > We are a consultancy company that provides services to another company and > we have a subnet in their network (A class ntework). So it is a huge > network. > The whole problem is this I believe, why these machines are trying to > contact it (what software does this, actually...). > I know only tcpdump to figure this out and tried it but didn't manage to > see anything understable. There is a lot of 'spam' (packets) for > example to > an exchange server on customer side (that is normal).. and some packets > that had 'SMB' somewhere.. perhaps it is something that tries to access > netbios shares there, and those infamous netbios ports are denied. > Anyway I am not sure anyone can help me with this, I'll have to answer the > questions myself. > A hint on some tools / methods for identifying traffic would be more than > welcome, if possible. > > Thanks for your patience, I'm a security noob who has some clues about > security / networking, but that's all. :) Sorry for that. > > > Greetings, > Endre Szekely-Bencedi > > > > > > > "Basselgia, Barry A > > > Mr (NAF Atsugi)" To: "'Endre > Szekely-Bencedi'" <Endre.Szekely-Bencedi@hu-tcs.com>, > > <BABasselgia@atsugi > snort-users@lists.sourceforge.net > > .navy.mil> cc: Andras > Kalmar <Andras.Kalmar@hu-tcs.com> > > Subject: RE: > [Snort-users] exporting snort logs > > 11/24/2004 01:20 AM > > > > > > > > > > > > > Can't help with the export thing. > > But, on your question regarding "communications administratively > prohibited". This means the router that is sending the messages is > configured to block your network/ip address. The only way to correct this > would be to identify who the router(s) belongs to and contact them to find > out why your being blocked. So, this isn't really a "False Alarm". And > obviously, if you have 100,000 hits something on your network is trying to > get through those routers. > > > > > -----Original Message----- > From: snort-users-admin@lists.sourceforge.net > [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Endre > Szekely-Bencedi > Sent: Tuesday, November 23, 2004 8:36 PM > To: snort-users@lists.sourceforge.net > Cc: Andras Kalmar > Subject: [Snort-users] exporting snort logs > > > ... > Also, how you guys manage to identify false alarms? I am getting > alerts for > "communication administratively prohibited" or something like that from a > few routers outside of our network for 19 IP addresses (8 machines) from > our network - there are like 140 machines - and this is up to almost > 100,000. I did not manage to determinde yet what is causing this huge > amount of alerts... tcpdump looks pretty encrypted to me, didn't see > anything interesting yet just lots of packets towards our proxy server and > to some exchange server... > > Any hints on how to do this? Perhaps some tools ... ? > > ... > > Greetings, > Endre > > "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE > ADDRESSEE and may contain confidential and privileged information. If the > reader of this message is not the intended recipient, you are > notified that > any dissemination, distribution or copy of this communication is strictly > prohibited. If you have received this message by error, please notify us > immediately, return the original mail to the sender and delete the message > from your system." > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > > --------------------------------------------------------- > This message has been scanned for viruses and dangerous > content by the NAF Atsugi MailScanner. > > > > > "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE > ADDRESSEE and may contain confidential and privileged information. If the > reader of this message is not the intended recipient, you are > notified that > any dissemination, distribution or copy of this communication is strictly > prohibited. If you have received this message by error, please notify us > immediately, return the original mail to the sender and delete the message > from your system." > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
