Snort mailing list archives
RE: ICMP Destination Unreachable
From: "Dennis Gorman" <dennisg () northshoreagency com>
Date: Wed, 5 Feb 2003 16:28:51 -0500
So you are saying that the connections that are causing this alert are being started by a system on my network? The destinations are my snort box and my web server. There are also 14 different sources. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kenneth G. Arnold Sent: Wednesday, February 05, 2003 4:14 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICMP Destination Unreachable I have been tracking down some of them myself recently. Someone in your network has attempted to connect to a location within someone else's network that a device in their network will not allow. That device returns this icmp packet to tell you this. The destination of the icmp packet is the ip address within your network that tried to access the forbidden location. Now the tough part of this is to determine what the person at the destination IP address within your network did to provoke this. Snort may or may not have caught it depending on your settings and the type of activity. I go to my firewall logs and grep for all the activity of the user in my network. Then I look through that information for the date and time of the icmp packets and try to determine what the user was doing to provoke the icmp packets and if that activity is something I want to happen. The one I discovered today was 294 ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) caused by a user within our network doing a UDP portscan on their network. The portscan probably tried to connect to locations that were blocked in their network. Ken Arnold At 03:45 PM 2/5/03 -0500, Dennis Gorman wrote:
I have received over 7000 "ICMP Destination Unreachable (Communication Administratively Prohibited)" alerts in the last 6 days. I look on snort.org for info about this alert, but I'm still unsure if this is something I need to worry about, and if not how can I remove this alert? I'm run snort on a MS Windows 200 Server. Thanks, Dennis Gorman Network Manager North Shore Agency ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Destination Unreachable Dennis Gorman (Feb 05)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- RE: ICMP Destination Unreachable Dennis Gorman (Feb 05)
- RE: ICMP Destination Unreachable twig les (Feb 05)
- RE: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- RE: ICMP Destination Unreachable Dennis Gorman (Feb 05)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- Re: ICMP Destination Unreachable twig les (Feb 05)
- Re: ICMP Destination Unreachable Matt Kettler (Feb 05)
- <Possible follow-ups>
- ICMP Destination Unreachable Always Bishan (Mar 08)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Mar 08)
- Re: ICMP Destination Unreachable Erek Adams (Mar 08)
- Re: ICMP Destination Unreachable Matt Kettler (Mar 08)