Strange IDS Logs

Discussion in 'other firewalls' started by maverickapollo, Jan 14, 2004.

Thread Status:
Not open for further replies.
  1. I was going through all my security logs today and I noticed something
    a little odd, and wonderd if anyone could offer any insight? I am not
    that good at detailed security!

    I have a IPBlock assigned from my ISP, where 81.174.*.68 to
    81.174.*.70.

    As I understand it, 68 is a broadcast address, 69 is assigned to the
    router, 70 is for a server, which I dont use at the present time.

    Now, in my snort logs, which is connected to the outside of the
    firewall I get the following logs..

    [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
    [Classification: Misc activity] [Priority: 3]
    01/15-02:49:35.625784 81.174.*.69 -> 81.174.*.70
    ICMP TTL:111 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
    Type:8 Code:0 ID:512 Seq:52213 ECHO
    [Xref => http://www.whitehats.com/info/IDS154]

    [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
    [Classification: Misc activity] [Priority: 3]
    01/15-02:49:35.641759 81.174.*.69 -> 81.174.*.68
    ICMP TTL:110 TOS:0xA0 ID:45598 IpLen:20 DgmLen:92
    Type:8 Code:0 ID:512 Seq:51701 ECHO
    [Xref => http://www.whitehats.com/info/IDS154]

    [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
    [Classification: Misc activity] [Priority: 3]
    01/15-02:49:35.642071 81.174.*.69 -> 81.174.*.70
    ICMP TTL:110 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
    Type:8 Code:0 ID:512 Seq:52213 ECHO
    [Xref => http://www.whitehats.com/info/IDS154]

    [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
    [Classification: Misc activity] [Priority: 3]
    01/15-02:49:35.649566 81.174.*.69 -> 81.174.*.71
    ICMP TTL:111 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
    Type:8 Code:0 ID:512 Seq:52469 ECHO
    [Xref => http://www.whitehats.com/info/IDS154]

    [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
    [Classification: Misc activity] [Priority: 3]
    01/15-02:49:35.665945 81.174.*.69 -> 81.174.*.71
    ICMP TTL:110 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
    Type:8 Code:0 ID:512 Seq:52469 ECHO
    [Xref => http://www.whitehats.com/info/IDS154]


    Now, I thought of welchia or one of its many variants, and all
    machines are clean, the DHCP records show only one machine on the
    network connected mostly, thats my machine. It's clean.

    What could be causing these broadcasts? Any one have any ideas?
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I've seen lots of false positives in ICMP rules in snort. The way I look at it (along with the other types of rules) is to establish a baseline for the environment and concentrate on looking at anomalies that do not match the baseline.

    With regard to CyberKit entries, if they happen on a consistent basis they may be due to network polling as part of some function of the router (if, in fact the consistency shown in your log snippet is reflected on all entries, that the source host is always the router and destination host varies within your net. This polling may be done to build network stats on uptime, etc.

    What kind of router is it? We may be able to determine the answer with that info
     
  3. Maverickapollo

    Maverickapollo Registered Member

    Joined:
    Jan 14, 2004
    Posts:
    1
    It is a Smoothwall Linux Router / Firewall..

    I have posted the same question here, and got quite a response, you may want a look..

    http://www.security-forums.com/forum/viewtopic.php?t=11292

    Many Thanks

    Michael..
     
Thread Status:
Not open for further replies.