[TriLUG] reading snort logs
Ryan Wheaton
ryan.wheaton at comcast.net
Tue Nov 18 16:57:45 EST 2003
hello again.
i may be showing even more of my ignorance here, but I just found the
following in my snort alert log:
[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
11/18-11:49:48.587496 internal.ip.ip.ip:49161 -> 205.188.8.66:5190
TCP TTL:64 TOS:0x0 ID:44974 IpLen:20 DgmLen:76 DF
***APR** Seq: 0xD89CAAA2 Ack: 0x83EE4A74 Win: 0x84D0 TcpLen: 20
[**] [1:485:2] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
11/18-13:35:57.693052 61.8.233.162 -> different.internal.ip.ip
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
same.internal.ip.ip:50644 -> 202.156.246.192:6346
TCP TTL:45 TOS:0x0 ID:53817 IpLen:20 DgmLen:44 DF
Seq: 0x8853690A Ack: 0xF8C4F7C5
** END OF DUMP
now the first internal IP is my machine, and it looks like i was
connecting to an AOL server (205.188.8.66), on port 5190 which is a
common AOL port (i use their IM). That part makes sense to me, but I
don't see why it gets logged as an alert (i don't understand the stuff
after that, like the ***APR** part....)
the second alert's IP's both come from ISP's in Singapore. I'm not too
worried about it 'cause it says administratively prohibited, but was
this just someone trying to connect to something on a P2P (gnutella)
network from inside here? Or was it singapore trying to connect
internally? (and i still don't understand the stuff after the IP's and
ports).
Thanks again in advance for everyone's expertise, i just can't find
anything off hand on what all the details mean in these logs.
-rtw
More information about the TriLUG
mailing list