RE: ICMP Destination Unreachable in SNORT

[Robert Buckley <rbuckley () synapsemail com>]

Sounds like a typical udp port 137 broadcast getting sent to the outside.
Snort should give the initial packet that is causing the unreach.
I see the same thing with dial up users who cant find a wins box.

-----Original Message-----
From: Grimes, Shawn (NIA/IRP) [mailto:GrimesSh () grc nia nih gov]
Sent: Wednesday, June 19, 2002 11:18 AM
To: 'incidents () securityfocus com'
Subject: ICMP Destination Unreachable in SNORT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm getting ICMP Destination Unreachable alerts in SNORT from a dial
up user.  It seems the original destination IP is to x.x.255.255
(x.x. being the first two octets of our range).  The router is
filtering these packets (hence why I get the ICMP destination
unreachable).  My question is, is this a misconfigured box? If so,
what is misconfigured?  Is this a compromised box?

Any ideas? Do you need additional information?

Thank You,
Shawn Grimes
Computer Specialist
NCTS - Gerontology Research Center
410-558-8007
grimessh () grc nia nih gov 


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPRCgrFKuo2WZJKgKEQKhYQCgrrNFQtRI2UOHQTKpS8rRy53n86UAn12X
CiqxqYxDqHSuG9BSqNk/84en
=SYVB
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com