[Dshield] Pings seen as echo reply?

John Sage jsage at finchhaven.com
Fri Mar 8 22:08:01 GMT 2002


Is this as it seems? 

Dshield is reporting theses packets as icmp 0:0 echo replies, but
snort is seeing them correctly as icmp 8:0 echo requests:


snort:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-20:14:23.869349 65.114.157.130 -> 12.82.128.53
ICMP TTL:51 TOS:0x0 ID:43311 IpLen:20 DgmLen:84
Type:8  Code:0  ID:1280   Seq:51407  ECHO
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-20:14:24.149360 193.214.57.194 -> 12.82.128.53
ICMP TTL:45 TOS:0x0 ID:38716 IpLen:20 DgmLen:84
Type:8  Code:0  ID:392   Seq:44066  ECHO
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-20:14:24.219341 200.75.160.50 -> 12.82.128.53
ICMP TTL:46 TOS:0x0 ID:58978 IpLen:20 DgmLen:84
Type:8  Code:0  ID:420   Seq:37510  ECHO
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



dshield:

2002-03-07 20:14:23 -08:00	1234abcd	1	
  65.114.157.130	0	12.82.128.53	0	ICMP	
2002-03-07 20:14:24 -08:00	1234abcd	1	
  193.214.57.194	0	12.82.128.53	0	ICMP	
2002-03-07 20:14:24 -08:00	1234abcd	1	
  200.75.160.50	0	12.82.128.53	0	ICMP	




- John
-- 
Most people don't type their own logfiles;  but, what do I care?


----- End forwarded message -----

-- 
Most people don't type their own logfiles;  but, what do I care?




More information about the list mailing list