Snort mailing list archives

Re: icmp

From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 14 Nov 2001 16:44:21 -0700 (MST)

On Wed, 14 Nov 2001, Peter VE wrote:

All I wanted to achieve is to fool the remote users, letting them believe my
host is unreachable for icmp traffic...


Normal behavior for ICMP to a host that doesn't allow it is no response.
Think about it: If you try to ping something that isn't there, you get no
response.  In your case, if someone tries to ping you, they don't get the
echo reply (or maybe they do, depending on how you've got things
configured), but they get an ICMP unreachable.  The fact that they get the
unreachable tells them there IS a host there, and that something really
strange is up with it.

Also note that IP specifies that ICMP error messages are not responded to,
lest there be infinite loops of ICMP messages.

                                                Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

icmp snortlst snortlst (Oct 22)
- RE: icmp John Berkers (Oct 24)
  - Re: icmp snortlst snortlst (Oct 24)
  - Re: icmp snortlst snortlst (Oct 24)
  - icmp again snortlst snortlst (Oct 25)
- <Possible follow-ups>
- RE: icmp T.Ferris (Oct 27)
- icmp Peter . VE (Nov 14)
- RE: icmp Oliver Friedrichs (Nov 14)
  - Re: icmp Peter VE (Nov 14)
    - Re: icmp Ashley Thomas (Nov 14)
    - Re: icmp Ryan Russell (Nov 14)
    - Re: icmp Peter VE (Nov 14)
    - Re: icmp Ryan Russell (Nov 14)
    - Re: icmp Guillaume (Nov 15)