Snort mailing list archives

RE: Alerts

From: hchlai () netscape net (Hugo Chun Hin Lai)
Date: Wed, 26 Jan 2005 11:22:50 -0500

David, I have also seen a lot of these ICMP packets on my network. In fact, I have also seen "ICMP Destination 
Unreachable Communication Administratively Prohibited" alerts on my network as well. Sig 485 and sig 486 seems to be 
related, but I have not figured out the exact differences. I have read RFC 1812 but I am still very lost. I am 
currently checking my routers' ACL and firewall rules to see if I am denying any traffic that's particular causing the 
alert. The only worry that I have is spoofed traffic. Can anybody give me some pointers on how to investigate these 
alerts (ICPM Destination Unreachable Communication Administratively Prohibited & ICMP Destination Unreachable 
Communication with Destination Host is Administratively Prohibited)?
Many Thanks!

Hugo

David Young <korang () gmail com> wrote:

I have Snort running on a Fedora Core 3 server.  I see alot of ICMP
Destination Unreachable Communication with Destination Host is
Administratively Prohibited    alerts.  The problem is it appears that
my server is the source IP.  Is my server running rouge pings?  Or is
it as I suspect that someone has scanned or pingged(sp) my server but
is unable to respond?  Thanks in advance.

David Young


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alerts David Young (Jan 25)
- RE: Alerts Brian Jameson (Jan 26)
- <Possible follow-ups>
- RE: Alerts Hugo Chun Hin Lai (Jan 26)
  - Re: Alerts Bill Parker (Jan 26)
- Alerts Brian Stamper (Feb 03)
- RE: Alerts Schott, Erik J Mr ANOSC/FCBS (Feb 03)