Snort mailing list archives

RE: Snort FAQ 1.8


From: "Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>
Date: Wed, 11 Jul 2001 13:34:17 -0500

Don't people usually want to know _why_ it is important?  I.e., what are the
security implications of this event?

I just thought that if you are going to devote the space to question 4.8,
that fundamental question should be answered.  :)

Thanks for listening.

- Lee

-----Original Message-----
From: Ramin Alidousti [mailto:ramin () cannon eng us uu net]
Sent: Tuesday, July 10, 2001 4:38 PM
To: Phil Wood
Cc: Ramin Alidousti; Dragos Ruiu; roesch () sourcefire com;
snort-users () lists sourceforge net; Denis.Ducamp () hsc fr
Subject: Re: [Snort-users] Snort FAQ 1.8


On Tue, Jul 10, 2001 at 03:29:23PM -0600, Phil Wood wrote:

I just had to provide a longer and more nauseating answer 
to question 4.8:

Excellent !!


4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these "ICMP destination unreachable" alerts?

A: ICMP is the acronym for Internet Control Message Protocol
   The ICMP Destination Unreachable (message type 3) is 
sent back to the
   originator when an IP packet could not be delivered to 
the destination
   address.  The ICMP Code indicates why the packet could 
not be delivered.
   The original codes are:
        0       net unreachable
        1       host unreachable
        2       protocol unreachable
        3       port unreachable
        4       fragmentation needed and DF bit set
        5       source route failed
   One source of port unreachable messages (code=3) is a successful
   (icmp based) traceroute.   A code of 3 tells the 
traceroute program that
   it has finally reached the host in question (only 
because it picked a
   service port that is NOT in use on the destination host).
   The ICMP unreachable packet contains a data portion reserved for
   the original IP header (normally 20 bytes, but possibly 
with IP options)
   PLUS 64 bits (8 bytes) of whatever followed the IP 
header.  If the offending
   packet was TCP or UDP based, then the first 4 bytes (of 
the 8 bytes) will
   contain the original source port and destination port 
(which are 16 bit
   quantities).  
   For further information
        about   see
        IP      ftp://ftp.isi.edu/in-notes/rfc791.txt
        ICMP    ftp://ftp.isi.edu/in-notes/rfc792.txt
        TCP     ftp://ftp.isi.edu/in-notes/rfc793.txt
        UDP     ftp://ftp.isi.edu/in-notes/rfc768.txt


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: