[Dshield] Pings seen as echo reply?

Wayne Larmon wlarmon at dshield.org
Sat Mar 9 03:16:16 GMT 2002


What DShield client (and version) produced the DShield log?   And from what
firewall?  Is it one of the DShield snort clients?   We have had multiple
versions of snort clients.

Wayne Larmon
wlarmon at dshield.org

> Is this as it seems?
>
> Dshield is reporting theses packets as icmp 0:0 echo replies, but
> snort is seeing them correctly as icmp 8:0 echo requests:
>
>
> snort:
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 03/07-20:14:23.869349 65.114.157.130 -> 12.82.128.53
> ICMP TTL:51 TOS:0x0 ID:43311 IpLen:20 DgmLen:84
> Type:8  Code:0  ID:1280   Seq:51407  ECHO
> 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
> 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
> 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
> 38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 03/07-20:14:24.149360 193.214.57.194 -> 12.82.128.53
> ICMP TTL:45 TOS:0x0 ID:38716 IpLen:20 DgmLen:84
> Type:8  Code:0  ID:392   Seq:44066  ECHO
> 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
> 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
> 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
> 38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 03/07-20:14:24.219341 200.75.160.50 -> 12.82.128.53
> ICMP TTL:46 TOS:0x0 ID:58978 IpLen:20 DgmLen:84
> Type:8  Code:0  ID:420   Seq:37510  ECHO
> 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
> 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
> 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
> 38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> dshield:
>
> 2002-03-07 20:14:23 -08:00	1234abcd	1
>   65.114.157.130	0	12.82.128.53	0	ICMP
> 2002-03-07 20:14:24 -08:00	1234abcd	1
>   193.214.57.194	0	12.82.128.53	0	ICMP
> 2002-03-07 20:14:24 -08:00	1234abcd	1
>   200.75.160.50	0	12.82.128.53	0	ICMP
>
>
>
>
> - John
> --
> Most people don't type their own logfiles;  but, what do I care?
>
>
> ----- End forwarded message -----
>
> --
> Most people don't type their own logfiles;  but, what do I care?
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list