Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 6912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Detect L3retriever Ping

skydiver
I started receiving this IPS alert this weekend: 
Message........: ICMP L3retriever Ping

Details........: www.snort.org/.../466

Time...........: 2010:06:02-11:35:54

Packet dropped.: yes

Priority.......: 2 (medium)

Classification.: Attempted Information Leak IP protocol....: 1 (ICMP)



Source IP address: 10.98.12.x

www.dnsstuff.com/.../ptr.ch

www.ripe.net/.../whois

ws.arin.net/.../whois.pl

cgi.apnic.net/.../whois.pl

Source port: 0

Destination IP address: 10.19.12.200

www.dnsstuff.com/.../ptr.ch

www.ripe.net/.../whois

ws.arin.net/.../whois.pl

cgi.apnic.net/.../whois.pl

Destination port: 0


The alert is being generated with the source in one LAN network segment and the destination on another LAN network segment.  These are being generated when the first Windows XP box accesses a shared network folder on the computer at the second network segment.

Any ideas as to why this may be occurring?  The shared folder has been in place for a while and this just started happening in the past week.    I need to understand exactly what is causing this because this is a PCI environment and the target of the scan is a PCI device.


This thread was automatically locked due to age.
Parents
  • 0
    Only for me it was our SSL VPN users as the source.  It started right after an pattern update?(Eastern Time)  Right after this appeared in the log I got hammered with alerts and it hasn't stopped.  Most of the vpn users, if not all are, not using XP.

    2010:05:31-10:32:54 fw snort[23721]: 
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[thresholding-config]----------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | memory-cap : 1048576 bytes
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[thresholding-global]----------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | none
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[thresholding-local]-----------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | none
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[suppression]------------------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | none
    2010:05:31-10:32:54 fw snort[23721]: -------------------------------------------------------------------------------
    2010:05:31-10:32:54 fw snort[23721]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
    2010:05:31-10:32:54 fw snort[23721]: Log directory = /var/log/snort
    2010:05:31-10:32:54 fw snort[23721]: Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
    2010:05:31-10:32:54 fw snort[23721]: 377 out of 512 flowbits in use.
    2010:05:31-10:32:54 fw snort[23721]: Warning: OpenPcap() device eth0 success with warning:         arptype 65534 not supported by libpcap - falling back to cooked socket
    2010:05:31-10:32:54 fw snort[23721]: Initializing daemon mode
    2010:05:31-10:32:54 fw snort[23847]: PID path stat checked out ok, PID path set to /var/run/
    2010:05:31-10:32:54 fw snort[23847]: Writing PID "23847" to file "/var/run//snort_eth0_1.pid"
    2010:05:31-10:32:54 fw snort[23721]: Daemon parent exiting
    2010:05:31-10:32:54 fw snort[23847]: Daemon initialized, signaled parent pid: 23721
    2010:05:31-10:33:42 fw snort[23847]: 
    2010:05:31-10:33:42 fw snort[23847]: [ Port Based Pattern Matching Memory ]
    2010:05:31-10:33:42 fw snort[23847]: +-[AC-BNFA Search Info Summary]------------------------------
    2010:05:31-10:33:42 fw snort[23847]: | Instances        : 913
    2010:05:31-10:33:42 fw snort[23847]: | Patterns         : 307903
    2010:05:31-10:33:42 fw snort[23847]: | Pattern Chars    : 6087878
    2010:05:31-10:33:42 fw snort[23847]: | Num States       : 3253568
    2010:05:31-10:33:42 fw snort[23847]: | Num Match States : 321716
    2010:05:31-10:33:42 fw snort[23847]: | Memory           :   69.99Mbytes
    2010:05:31-10:33:42 fw snort[23847]: |   Patterns       :   12.85M
    2010:05:31-10:33:42 fw snort[23847]: |   Match Lists    :   18.96M
    2010:05:31-10:33:42 fw snort[23847]: |   Transitions    :   37.97M
    2010:05:31-10:33:42 fw snort[23847]: +-------------------------------------------------
    2010:05:31-10:33:42 fw snort[23847]: Snort initialization completed successfully (pid=23847)
    2010:05:31-10:33:42 fw snort[23847]: Not Using PCAP_FRAMES


    What is the recommended action?
Reply
  • 0
    Only for me it was our SSL VPN users as the source.  It started right after an pattern update?(Eastern Time)  Right after this appeared in the log I got hammered with alerts and it hasn't stopped.  Most of the vpn users, if not all are, not using XP.

    2010:05:31-10:32:54 fw snort[23721]: 
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[thresholding-config]----------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | memory-cap : 1048576 bytes
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[thresholding-global]----------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | none
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[thresholding-local]-----------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | none
    2010:05:31-10:32:54 fw snort[23721]: +-----------------------[suppression]------------------------------------------
    2010:05:31-10:32:54 fw snort[23721]: | none
    2010:05:31-10:32:54 fw snort[23721]: -------------------------------------------------------------------------------
    2010:05:31-10:32:54 fw snort[23721]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
    2010:05:31-10:32:54 fw snort[23721]: Log directory = /var/log/snort
    2010:05:31-10:32:54 fw snort[23721]: Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
    2010:05:31-10:32:54 fw snort[23721]: 377 out of 512 flowbits in use.
    2010:05:31-10:32:54 fw snort[23721]: Warning: OpenPcap() device eth0 success with warning:         arptype 65534 not supported by libpcap - falling back to cooked socket
    2010:05:31-10:32:54 fw snort[23721]: Initializing daemon mode
    2010:05:31-10:32:54 fw snort[23847]: PID path stat checked out ok, PID path set to /var/run/
    2010:05:31-10:32:54 fw snort[23847]: Writing PID "23847" to file "/var/run//snort_eth0_1.pid"
    2010:05:31-10:32:54 fw snort[23721]: Daemon parent exiting
    2010:05:31-10:32:54 fw snort[23847]: Daemon initialized, signaled parent pid: 23721
    2010:05:31-10:33:42 fw snort[23847]: 
    2010:05:31-10:33:42 fw snort[23847]: [ Port Based Pattern Matching Memory ]
    2010:05:31-10:33:42 fw snort[23847]: +-[AC-BNFA Search Info Summary]------------------------------
    2010:05:31-10:33:42 fw snort[23847]: | Instances        : 913
    2010:05:31-10:33:42 fw snort[23847]: | Patterns         : 307903
    2010:05:31-10:33:42 fw snort[23847]: | Pattern Chars    : 6087878
    2010:05:31-10:33:42 fw snort[23847]: | Num States       : 3253568
    2010:05:31-10:33:42 fw snort[23847]: | Num Match States : 321716
    2010:05:31-10:33:42 fw snort[23847]: | Memory           :   69.99Mbytes
    2010:05:31-10:33:42 fw snort[23847]: |   Patterns       :   12.85M
    2010:05:31-10:33:42 fw snort[23847]: |   Match Lists    :   18.96M
    2010:05:31-10:33:42 fw snort[23847]: |   Transitions    :   37.97M
    2010:05:31-10:33:42 fw snort[23847]: +-------------------------------------------------
    2010:05:31-10:33:42 fw snort[23847]: Snort initialization completed successfully (pid=23847)
    2010:05:31-10:33:42 fw snort[23847]: Not Using PCAP_FRAMES


    What is the recommended action?
Children
No Data