Snort mailing list archives
RE: Snort FAQ 1.8
From: "Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>
Date: Wed, 11 Jul 2001 13:34:17 -0500
Don't people usually want to know _why_ it is important? I.e., what are the security implications of this event? I just thought that if you are going to devote the space to question 4.8, that fundamental question should be answered. :) Thanks for listening. - Lee
-----Original Message----- From: Ramin Alidousti [mailto:ramin () cannon eng us uu net] Sent: Tuesday, July 10, 2001 4:38 PM To: Phil Wood Cc: Ramin Alidousti; Dragos Ruiu; roesch () sourcefire com; snort-users () lists sourceforge net; Denis.Ducamp () hsc fr Subject: Re: [Snort-users] Snort FAQ 1.8 On Tue, Jul 10, 2001 at 03:29:23PM -0600, Phil Wood wrote:I just had to provide a longer and more nauseating answerto question 4.8: Excellent !!4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? A: ICMP is the acronym for Internet Control Message Protocol The ICMP Destination Unreachable (message type 3) issent back to theoriginator when an IP packet could not be delivered tothe destinationaddress. The ICMP Code indicates why the packet couldnot be delivered.The original codes are: 0 net unreachable 1 host unreachable 2 protocol unreachable 3 port unreachable 4 fragmentation needed and DF bit set 5 source route failed One source of port unreachable messages (code=3) is a successful (icmp based) traceroute. A code of 3 tells thetraceroute program thatit has finally reached the host in question (onlybecause it picked aservice port that is NOT in use on the destination host). The ICMP unreachable packet contains a data portion reserved for the original IP header (normally 20 bytes, but possiblywith IP options)PLUS 64 bits (8 bytes) of whatever followed the IPheader. If the offendingpacket was TCP or UDP based, then the first 4 bytes (ofthe 8 bytes) willcontain the original source port and destination port(which are 16 bitquantities). For further information about see IP ftp://ftp.isi.edu/in-notes/rfc791.txt ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt TCP ftp://ftp.isi.edu/in-notes/rfc793.txt UDP ftp://ftp.isi.edu/in-notes/rfc768.txt_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort FAQ 1.8 Dragos Ruiu (Jul 09)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Blake Frantz (Jul 10)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Phil Wood (Jul 10)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Dragos Ruiu (Jul 10)
- Re: Snort FAQ 1.8 Blake Frantz (Jul 10)
- <Possible follow-ups>
- RE: Snort FAQ 1.8 Kohlenberg, Toby (Jul 10)
- Re: Snort FAQ 1.8 Phil Wood (Jul 10)
- RE: Snort FAQ 1.8 Burleson, Lee (IA) (Jul 11)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 11)
- Re: Snort FAQ 1.8 Phil Wood (Jul 11)
- Re: Snort FAQ 1.8 Paul Howell (Jul 20)
- Re: Snort FAQ 1.8 Dragos Ruiu (Jul 20)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)