[Dshield] Re-Post: Need help with this pattern

Chan, Stephen (TIS, Singapore) stephen_chan at sg.ml.com
Fri Oct 26 00:19:37 GMT 2001


Hi everyone again, I'm so sorry for the stupid attachment I sent yesterday.
Did a Paste instead of a Paste Special in Outlook. Anyways, here it is
again. I have left out stuff like sequence numbers and packet size but if
anyone asks for it, I can include that also.

timestamp			proto	msg
src				dst
10/20-14:22:50.786778 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.138		aa.bb.cc.dd
10/20-14:26:30.582987 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.148		aa.bb.cc.dd
10/20-14:27:35.613557 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.148		aa.bb.cc.dd
10/20-15:16:32.294765 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.162		aa.bb.cc.dd
10/20-15:16:51.819204 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.162		aa.bb.cc.dd
10/20-15:19:16.353487 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.162		aa.bb.cc.dd
10/20-16:10:39.468162 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.146		aa.bb.cc.dd
10/20-16:11:58.088431 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.146		aa.bb.cc.dd
10/22-14:06:07.117913 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.146		aa.bb.cc.dd
10/22-14:26:28.518608 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.138		aa.bb.cc.dd
10/22-14:32:03.297020 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.162		aa.bb.cc.dd
10/22-14:37:48.274332 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.146		aa.bb.cc.dd
10/22-14:44:14.998643 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.140		aa.bb.cc.dd
10/22-14:45:20.305997 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.140		aa.bb.cc.dd
10/22-14:47:39.177137 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.132		aa.bb.cc.dd
10/22-14:47:52.287917 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.132		aa.bb.cc.dd
10/22-14:48:39.730089 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.162		aa.bb.cc.dd
10/22-14:49:11.061952 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.132		aa.bb.cc.dd
10/22-14:49:45.186629 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.162		aa.bb.cc.dd
10/22-14:51:56.244862 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.162		aa.bb.cc.dd
10/22-14:54:04.075845 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.130		aa.bb.cc.dd
10/22-15:03:01.818279 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.148		aa.bb.cc.dd
10/22-15:05:02.486682 	ICMP	ICMP Destination Unreachable (Undefined
Code!)		207.68.179.146		aa.bb.cc.dd

Thanks everyone

> -----Original Message-----
> From:	Chan, Stephen (TIS, Singapore) 
> Sent:	Thursday, October 25, 2001 11:14 AM
> To:	'dshield at dshield.org'
> Subject:	Need help with this pattern
> 
> Hi people, this is an excerpt of a Snort log I have placed outside my
> firewall. 
> 
>  << OLE Object: Microsoft Excel Worksheet >> 
> 
> It seems to be a bunch of spoofed source IP hitting my IDS host
> (aa.bb.cc.dd). The actual trace runs over 3 days! with similar patterns.
> Has anyone else seen anything like this? Or do you need more information?
> 
> 




More information about the list mailing list