Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FAQ 1.8 ICMP Corrections

From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 21 Jul 2001 11:34:25 +0200
Folks,
 
Some corrections for ICMP in the Snort 1.8 FAQ.
 
Sorry for the late response but I was busy at Black Hat and Defcon.
 
It should be stated the BOTH ICMP Type field AND Code field indicates
why the packets could not be delivered. It is determined by both fields.
 
 
Another Fix:
ICMP Unreachable Error Messages are divided into two groups:
- ICMP Unreachable Error Messages issued by routers (all 16 of them)
- ICMP Unreachable Error Messages issued by a Host (only 2)
 
What are the only 2 issued by a host?
ICMP Port Unreachable - the destination port on the targeted host is
closed (a.k.a. not in a listening state). 
ICMP Protocol Unreachable - the protocol we were trying to use is not
being used on the targeted host.
 
If the Router is the target - the router will behave as a host when
generating these 2 error messages.
 
 
All ICMP Error Messages are divided to 2 groups and therefore their
meaning change accordingly! 
 
Another Fix:

"One source of port unreachable messages (code=3) is a successful
(icmp based) traceroute.   A code of 3 tells the traceroute program

that

it has finally reached the host in question (only because it picked a
service port that is NOT in use on the destination host)."

 
Sure this is one source for these error messages, but you are missing
the point here. 
 
I suggest that we will not get into "example" format first, but stick
with the RFC description which is: When a destination UDP port is closed
on the targeted host, a.k.a. not in a listening state, the targeted host
will issue an ICMP Port Unreachable error message back to the offending
packets source IP address, given in the query. 
 
This is the actual description we should give, and state after that,
that some programs take this mechanism into usage, like traceroute with
*nix based machines. Windows based machines (tracert) will default to
ICMP Echo requests...
 
 
We should also remember that some other ICMP Unreachable error messages
(there are 16) should be looked at regarding the context.
 
 
Another fix:
An ICMP Error message contains the IP Header of the offending packet and
at least the first 8 data bytes of the offending packet's data. More
than 8 data bytes may be sent.
 
 
If you download my latest ICMP research project paper version v3.0 you
can have a full description of each and every ICMP message. This is now
given in chapter 2. It is available from www.sys-security.com
<http://www.sys-security.com/> . 
 
 
For a full description and reference Dragos can reference to my paper...
 
 
Cheers
 
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Phil Wood
Sent: ? 10 ???? 2001 23:29
To: Ramin Alidousti
Cc: Dragos Ruiu; roesch () sourcefire com;
snort-users () lists sourceforge net; Denis.Ducamp () hsc fr
Subject: Re: [Snort-users] Snort FAQ 1.8
 
I just had to provide a longer and more nauseating answer to question
4.8:
 
4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these "ICMP destination unreachable" alerts?
 
A: ICMP is the acronym for Internet Control Message Protocol
   The ICMP Destination Unreachable (message type 3) is sent back to the
   originator when an IP packet could not be delivered to the
destination
   address.  The ICMP Code indicates why the packet could not be
delivered.
   The original codes are:
        0       net unreachable
        1       host unreachable
        2       protocol unreachable
        3       port unreachable
        4       fragmentation needed and DF bit set
        5       source route failed
   One source of port unreachable messages (code=3) is a successful
   (icmp based) traceroute.   A code of 3 tells the traceroute program
that
   it has finally reached the host in question (only because it picked a
   service port that is NOT in use on the destination host).
   The ICMP unreachable packet contains a data portion reserved for
   the original IP header (normally 20 bytes, but possibly with IP
options)
   PLUS 64 bits (8 bytes) of whatever followed the IP header.  If the
offending
   packet was TCP or UDP based, then the first 4 bytes (of the 8 bytes)
will
   contain the original source port and destination port (which are 16
bit
   quantities).  
   For further information
        about   see
        IP      ftp://ftp.isi.edu/in-notes/rfc791.txt
        ICMP    ftp://ftp.isi.edu/in-notes/rfc792.txt
        TCP     ftp://ftp.isi.edu/in-notes/rfc793.txt
        UDP     ftp://ftp.isi.edu/in-notes/rfc768.txt
 
On Tue, Jul 10, 2001 at 03:49:58PM -0400, Ramin Alidousti wrote:

The answer of 4.8 suggests that the ICMP carries the first
64 _bytes_ of the original datagram. I believe that it should
be "the first 64 data _bits_" :-)

Ramin

On Mon, Jul 09, 2001 at 10:30:15PM -0700, Dragos Ruiu wrote:


Send me your complaints. :-)
Or translations...

cheers,
--dr



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

 
-- 
Phil Wood, cpw () lanl gov
 
 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: