Snort mailing list archives
RE: ICMP Destination Unreachable
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Wed, 17 Jul 2002 10:51:11 -0400
Hello! I need your help. Could you replay to this address if you'll replay today or to fra.mila () tiscalinet it il you'll replay tomorrow? I used Snort; but I don't understand why I found only messages like these:
Folks here subscribe to the list, post to the list, and reply to the list. Just a general observation...
ICMP Destination Unreachable (Communication with Destintation Host in Administratively Prohibited) from an external IP to an IP of my home-net
A host on your network tried to contact a host on an external network (likely using ICMP), and an intermediate device has an access control list in place that prevents this type of communication. These rules tend to go off a lot on networks with ICMP-heavy apps or operating systems.
The rule is in "icmp.rules" and it's: alert icmp any any -> any any (msg:"ICMP Destination Unreachable(Communication Administratively Prohibited)".......) why they put "any any -> any any" ?
I think that the ICMP rules are, in general, more useful for troubleshooting and information gathering than intrusion detection. Just my opinion. However, if you're using them for intrusion detection, you probably want them written this way (any any -> any any). ICMP is stateless, and responses can be elicited via a number of methods. In addition, if you are on a relatively "closed" segment, these types of messages will often be the first indicator of malicious activity, specifically in the form of illegal listeners, rogue services, etc.
are these messages important? what would you say about them? is it possible I find ONLY these messages (an "alert" in /var/log/snort/ of 2 GB in 24 hours with ONLY messages like these)?
I would say that you need to look at these in the context of the network from which they are being generated. Some networks generate tons of these during normal activity (although I would suggest that the architecture is flaky). If you have this many of them, I would tend to believe that it's "normal." However, I wouldn't rule anything out until you do some ACL searching and try to re-create some of the events. Cheers Keith ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Destination Unreachable Francesca Milanini (Jul 17)
- <Possible follow-ups>
- RE: ICMP Destination Unreachable McCammon, Keith (Jul 17)
- ICMP Destination Unreachable Ian Macdonald (Sep 06)
- Re: ICMP Destination Unreachable Phil Wood (Sep 06)
- Re: ICMP Destination Unreachable Ian Macdonald (Sep 06)
- Re: ICMP Destination Unreachable Phil Wood (Sep 06)
- Re: ICMP Destination Unreachable Phil Wood (Sep 06)