ICMP Type and Code parsed as source and destination port #13627

Carlos-mb · 2024-09-06T18:22:41Z

Carlos-mb
Sep 6, 2024

Version

2.4.90

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

other (please provide detail below)

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

52 gb

Storage for /

2Tb

Storage for /nsm

2Tb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi

I have this in my system:

I have checked with Wireshark that they are ICMP messages Type 3, Code 10. And SO is parsing them as source port 3, destination por 10.

I can provide you more info if you tell me what do you need.

This installation is just 7 days old. I'm new in SO and I have not created or modified parsers or anything similar.

Thaks!

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by dougburks

Sep 9, 2024

It's normal for Zeek to log the ICMP type as source port and ICMP code as destination port. For more information, please see https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html:

ICMP “ports” are to be interpreted as the source port meaning the ICMP message type and the destination port being the ICMP message code.

View full answer

Carlos-mb · 2024-09-06T19:22:26Z

Carlos-mb
Sep 6, 2024
Author

This is the message of one of the events

{"ts":1725358584.32528,"uid":"C0j3bY3Wo2ejRyirsl","id.orig_h":"17.253.122.197","id.orig_p":3,"id.resp_h":"...","id.resp_p":10,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":true,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":576,"resp_pkts":0,"resp_ip_bytes":0,"community_id":"1:************","orig_mac_oui":"HUAWEI TECHNOLOGIES CO.,LTD"}

0 replies

dougburks · 2024-09-09T10:41:10Z

dougburks
Sep 9, 2024
Maintainer

It's normal for Zeek to log the ICMP type as source port and ICMP code as destination port. For more information, please see https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html:

ICMP “ports” are to be interpreted as the source port meaning the ICMP message type and the destination port being the ICMP message code.

2 replies

Carlos-mb Sep 9, 2024
Author

I really thank your support. I guess I would had not been able to find that by myself.

I thing this zeek behavior make no sense and it has been a headache for me this weekend because I didn't understand how an external IP was accessing the port 10 of an internal server... This means than we have to refine some searches. When filtering or grouping by ports, we have to exclude ICMP records.

Again, thank you very much for your support.

dougburks Sep 10, 2024
Maintainer

I've added a note to the Zeek page in our documentation and it will be included in the next version:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ICMP Type and Code parsed as source and destination port #13627

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

ICMP Type and Code parsed as source and destination port #13627

Uh oh!

Carlos-mb Sep 6, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 2 replies

Uh oh!

Carlos-mb Sep 6, 2024 Author

Uh oh!

dougburks Sep 9, 2024 Maintainer

Uh oh!

Carlos-mb Sep 9, 2024 Author

Uh oh!

dougburks Sep 10, 2024 Maintainer

Carlos-mb
Sep 6, 2024

Replies: 2 comments 2 replies

Carlos-mb
Sep 6, 2024
Author

dougburks
Sep 9, 2024
Maintainer

Carlos-mb Sep 9, 2024
Author

dougburks Sep 10, 2024
Maintainer