Snort mailing list archives

RE: ICMP Source Quench

From: "Bryan Waters" <bryanw () abwaters com>
Date: Mon, 7 Jul 2003 12:03:49 -0700

Of course...but I did my search on yahoo and the results were so noisy that
I couldn't find anything specific on the topic.  Also...I would have thought
that Snort would have had at least a blurb in the online rule docs...since
they didn't and the yahoo results were so bad, i didn't push it figuring it
was something rather esoteric.

-bryanw

-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com]
Sent: Monday, July 07, 2003 9:08 AM
To: Bryan Waters
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ICMP Source Quench


"Bryan Waters" <bryanw () abwaters com> writes:

What is an "ICMP Source Quench"?

I have snort running and its working fine...i'm just looking for a place

to

determine what some of the more poorly documented rules are...so i can get
an idea of what exactly is happening and how much of a threat it is...


Please tell me you atleast did (Lie if you have to :-)):

http://www.google.com/search?hl=en&query=ICMP+Source+Quench.

http://www.firewall.cx/icmp-source-quench.php

The additional $0.02 from experience:

Often times if you see ICMP source quenches your network is either
flooding a particular network OR you netblock is being spoofed and
some poor old sod is being flooded and can only yell at you about it.

Try reverse dns on the Source IP and if it's an IRC server, it's probably
the latter.
--
Chris Green <cmg () sourcefire com>
Fame may be fleeting but obscurity is forever.



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Kristian Ro (Jul 06)
- Re: (no subject) Simon Gray (Jul 07)
- Re: (no subject) Jason K. Boykin (Jul 07)
  - ICMP Source Quench Bryan Waters (Jul 07)
    - Re: ICMP Source Quench Chris Green (Jul 07)
    - RE: ICMP Source Quench Bryan Waters (Jul 07)
    - RE: ICMP Source Quench twig les (Jul 07)
- Re: (no subject) Erek Adams (Jul 07)
- <Possible follow-ups>
- (no subject) Ravi (Jul 11)
- (no subject) JP Vossen (Jul 24)
- (no subject) Marc Quibell (Aug 04)
  - Re: (no subject) Chris Green (Aug 06)
- RE: (no subject) Miller, Eoin (Aug 04)
- (no subject) RAJNEEL DHOTRE (Aug 05)
  - Re: (no subject) Erek Adams (Aug 05)
    - Re: (no subject) Matt Kettler (Aug 05)

(Thread continues...)