Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ICMP Destination Unreachable

From: Dewey Paciaffi <dpaciaffi () fame com>
Date: Tue, 04 Dec 2001 15:23:41 -0500
Hi. I'm a new snort user. Today snort flagged 66
packets in which neither the src nor the dst addresses
are from the subnet being monitored. 

When I examined the logs, the packets seem to be in pairs:


[**] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
12/03-00:27:04.480000 63.145.225.218 -> xxx.xx.xx.254
ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.xx.xx.254:252 -> 208.198.122.60:137
UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
12/03-00:27:04.480000 63.145.225.218 -> 64.152.161.12
ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
64.152.161.12:137 -> 208.198.122.60:137
UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The first packet seems to be a valid ICMP, except that we have no 
device with the address xxx.xx.xx.254 on the subnet.

Anyone know what causes this?


Dewey Paciaffi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: