On Wednesday 17 September 2003 20:50, Shawn wrote: >I was able to login to my IPCop's web interface today, and checked out my >logs. In the intrusion detection logs, I have a large number of entries >like this: > >Date: 09/17 09:22:17 Name: ICMP PING CyberKit 2.2 Windows >Priority: 3 Type: Misc activity >IP info: 142.59.106.45 ><http://192.168.0.1:81/cgi-bin/ipinfo.cgi?ip=142.59.106.45>:n/a -> >142.59.175.169 ><http://192.168.0.1:81/cgi-bin/ipinfo.cgi?ip=142.59.175.169>:n/a >References: none found SID: 483 ><http://www.snort.org/snort-db/sid.html?sid=483> > >The info I can find indicates this is more or less a port scan, where >someone is looking for an active host.
That traffic is generally a result of the following: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html I noticed those entries starting to appear in my logs on the 18th of August. I was eventually receiving over 1200 hits a day. As people slowly get rid of the worm off their machines, it'll drop. I'm just of 700 hits a day now. >What I need to know (and don't see a clear answer yet) is if this traffic >has been blocked by the firewall. If so, was an echo-reply sent? According to the manual for Snort ( http://www.snort.org/docs/writing_rules/ ), this is what happens when the rule action is to perform an alert. alert - generate an alert using the selected alert method, and then log the packet This type of packet that matched an ICMP rule (/etc/snort/icmp.rules /etc/snort/icmp-info.rules), performs an alert action. Looking through the rules files, it seems that it only performs an alert action on any icmp ping. I checked into what was happening on my machine, and the firewall does respond to the pings. >And the follow up question, how do I disable echo reply on an IPCop >firewall? (looking at their web site right now...). I do not know. :-)
