[TriLUG] reading snort logs

Ryan Wheaton ryan.wheaton at comcast.net
Tue Nov 18 16:57:45 EST 2003


hello again.

i may be showing even more of my ignorance here, but I just found the 
following in my snort alert log:

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
11/18-11:49:48.587496 internal.ip.ip.ip:49161 -> 205.188.8.66:5190
TCP TTL:64 TOS:0x0 ID:44974 IpLen:20 DgmLen:76 DF
***APR** Seq: 0xD89CAAA2  Ack: 0x83EE4A74  Win: 0x84D0  TcpLen: 20

[**] [1:485:2] ICMP Destination Unreachable (Communication 
Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
11/18-13:35:57.693052 61.8.233.162 -> different.internal.ip.ip
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
same.internal.ip.ip:50644 -> 202.156.246.192:6346
TCP TTL:45 TOS:0x0 ID:53817 IpLen:20 DgmLen:44 DF
Seq: 0x8853690A  Ack: 0xF8C4F7C5
** END OF DUMP


now the first internal IP is my machine, and it looks like i was 
connecting to an AOL server (205.188.8.66), on port 5190 which is a 
common AOL port (i use their IM).  That part makes sense to me, but I 
don't see why it gets logged as an alert (i don't understand the stuff 
after that, like the ***APR** part....)

the second alert's IP's both come from ISP's in Singapore.  I'm not too 
worried about it 'cause it says administratively prohibited, but was 
this just someone trying to connect to something on a P2P (gnutella) 
network from inside here?  Or was it singapore trying to connect 
internally?  (and i still don't understand the stuff after the IP's and 
ports).

Thanks again in advance for everyone's expertise, i just can't find 
anything off hand on what all the details mean in these logs.

-rtw




More information about the TriLUG mailing list