Snort mailing list archives
Re: Snort FAQ 1.8
From: Phil Wood <cpw () lanl gov>
Date: Wed, 11 Jul 2001 15:15:15 -0600
Lee, On Wed, Jul 11, 2001 at 01:34:17PM -0500, Burleson, Lee (IA) wrote:
Don't people usually want to know _why_ it is important? I.e., what are the security implications of this event?
I guess, I'd have to say "it all depends..." Some "alerts" are informational like the ICMP alerts found in icmp-info.rules. At this time there are no references or even classtypes associated with these rules. Other rules are more liKELY TO Be associated with untoward activity. For example, in icmp.rules you will find: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:1;) which has a reference where the importance might be determined by checking out the aracnids reference. Also, the classtype will indicate more or less the relative importance of the event. My cut was more toward fundamental knowledge of the information being displayed rather than trying to give it a number on some scale of importance. It would be my hope that an observer [ids specialist], who understands why there are ICMP unreachables (a natural and expected event in the IP world), could then decide if they were important in the context that only the observer can know.
I just thought that if you are going to devote the space to question 4.8, that fundamental question should be answered. :) Thanks for listening. - Lee-----Original Message----- From: Ramin Alidousti [mailto:ramin () cannon eng us uu net] Sent: Tuesday, July 10, 2001 4:38 PM To: Phil Wood Cc: Ramin Alidousti; Dragos Ruiu; roesch () sourcefire com; snort-users () lists sourceforge net; Denis.Ducamp () hsc fr Subject: Re: [Snort-users] Snort FAQ 1.8 On Tue, Jul 10, 2001 at 03:29:23PM -0600, Phil Wood wrote:I just had to provide a longer and more nauseating answerto question 4.8: Excellent !!4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? A: ICMP is the acronym for Internet Control Message Protocol The ICMP Destination Unreachable (message type 3) issent back to theoriginator when an IP packet could not be delivered tothe destinationaddress. The ICMP Code indicates why the packet couldnot be delivered.The original codes are: 0 net unreachable 1 host unreachable 2 protocol unreachable 3 port unreachable 4 fragmentation needed and DF bit set 5 source route failed One source of port unreachable messages (code=3) is a successful (icmp based) traceroute. A code of 3 tells thetraceroute program thatit has finally reached the host in question (onlybecause it picked aservice port that is NOT in use on the destination host). The ICMP unreachable packet contains a data portion reserved for the original IP header (normally 20 bytes, but possiblywith IP options)PLUS 64 bits (8 bytes) of whatever followed the IPheader. If the offendingpacket was TCP or UDP based, then the first 4 bytes (ofthe 8 bytes) willcontain the original source port and destination port(which are 16 bitquantities). For further information about see IP ftp://ftp.isi.edu/in-notes/rfc791.txt ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt TCP ftp://ftp.isi.edu/in-notes/rfc793.txt UDP ftp://ftp.isi.edu/in-notes/rfc768.txt_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort FAQ 1.8, (continued)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Blake Frantz (Jul 10)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Phil Wood (Jul 10)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Dragos Ruiu (Jul 10)
- Re: Snort FAQ 1.8 Blake Frantz (Jul 10)
- RE: Snort FAQ 1.8 Kohlenberg, Toby (Jul 10)
- Re: Snort FAQ 1.8 Phil Wood (Jul 10)
- RE: Snort FAQ 1.8 Burleson, Lee (IA) (Jul 11)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 11)
- Re: Snort FAQ 1.8 Phil Wood (Jul 11)
- Re: Snort FAQ 1.8 Paul Howell (Jul 20)
- Re: Snort FAQ 1.8 Dragos Ruiu (Jul 20)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)