Snort mailing list archives
FAQ 1.8 ICMP Corrections
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 21 Jul 2001 11:34:25 +0200
Folks, Some corrections for ICMP in the Snort 1.8 FAQ. Sorry for the late response but I was busy at Black Hat and Defcon. It should be stated the BOTH ICMP Type field AND Code field indicates why the packets could not be delivered. It is determined by both fields. Another Fix: ICMP Unreachable Error Messages are divided into two groups: - ICMP Unreachable Error Messages issued by routers (all 16 of them) - ICMP Unreachable Error Messages issued by a Host (only 2) What are the only 2 issued by a host? ICMP Port Unreachable - the destination port on the targeted host is closed (a.k.a. not in a listening state). ICMP Protocol Unreachable - the protocol we were trying to use is not being used on the targeted host. If the Router is the target - the router will behave as a host when generating these 2 error messages. All ICMP Error Messages are divided to 2 groups and therefore their meaning change accordingly! Another Fix:
"One source of port unreachable messages (code=3) is a successful (icmp based) traceroute. A code of 3 tells the traceroute program
that
it has finally reached the host in question (only because it picked a service port that is NOT in use on the destination host)."
Sure this is one source for these error messages, but you are missing the point here. I suggest that we will not get into "example" format first, but stick with the RFC description which is: When a destination UDP port is closed on the targeted host, a.k.a. not in a listening state, the targeted host will issue an ICMP Port Unreachable error message back to the offending packets source IP address, given in the query. This is the actual description we should give, and state after that, that some programs take this mechanism into usage, like traceroute with *nix based machines. Windows based machines (tracert) will default to ICMP Echo requests... We should also remember that some other ICMP Unreachable error messages (there are 16) should be looked at regarding the context. Another fix: An ICMP Error message contains the IP Header of the offending packet and at least the first 8 data bytes of the offending packet's data. More than 8 data bytes may be sent. If you download my latest ICMP research project paper version v3.0 you can have a full description of each and every ICMP message. This is now given in chapter 2. It is available from www.sys-security.com <http://www.sys-security.com/> . For a full description and reference Dragos can reference to my paper... Cheers Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Phil Wood Sent: ? 10 ???? 2001 23:29 To: Ramin Alidousti Cc: Dragos Ruiu; roesch () sourcefire com; snort-users () lists sourceforge net; Denis.Ducamp () hsc fr Subject: Re: [Snort-users] Snort FAQ 1.8 I just had to provide a longer and more nauseating answer to question 4.8: 4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? A: ICMP is the acronym for Internet Control Message Protocol The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address. The ICMP Code indicates why the packet could not be delivered. The original codes are: 0 net unreachable 1 host unreachable 2 protocol unreachable 3 port unreachable 4 fragmentation needed and DF bit set 5 source route failed One source of port unreachable messages (code=3) is a successful (icmp based) traceroute. A code of 3 tells the traceroute program that it has finally reached the host in question (only because it picked a service port that is NOT in use on the destination host). The ICMP unreachable packet contains a data portion reserved for the original IP header (normally 20 bytes, but possibly with IP options) PLUS 64 bits (8 bytes) of whatever followed the IP header. If the offending packet was TCP or UDP based, then the first 4 bytes (of the 8 bytes) will contain the original source port and destination port (which are 16 bit quantities). For further information about see IP ftp://ftp.isi.edu/in-notes/rfc791.txt ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt TCP ftp://ftp.isi.edu/in-notes/rfc793.txt UDP ftp://ftp.isi.edu/in-notes/rfc768.txt On Tue, Jul 10, 2001 at 03:49:58PM -0400, Ramin Alidousti wrote:
The answer of 4.8 suggests that the ICMP carries the first 64 _bytes_ of the original datagram. I believe that it should be "the first 64 data _bits_" :-) Ramin On Mon, Jul 09, 2001 at 10:30:15PM -0700, Dragos Ruiu wrote:Send me your complaints. :-) Or translations... cheers, --dr_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FAQ 1.8 ICMP Corrections Ofir Arkin (Jul 21)