My SNORT installation set of an alarm a few days back:
"ICMP Destination Unreachable Port Unreachable" [Impact: Vulnerable] From
"SNORT-sensor" at Thu Dec 13 13:24:59 2007 UTC [Classification: Misc Activity]
[Priority: 3] {icmp} RemoteHostIP->LocalHostIP
I have checked my firewall logs and confirmed that the LocalHost has been
trying to connect to RemoteHost at that time and also checked a pcap-file from
snort and found my LocalHost MAC-adress so it's not somekind of spoofing. The
problem here is that the RemoteHost is NOT anything I want to talk to.
I have scanned the LocalHost with several antivirus/antirootkit/antispyware byt
can't find anything that could cause the connectionattempts.
Has anyone seen anything like this before? What could possibly cause this? Is
my LocalHost compromised?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
