Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does ICMP detection work or what?

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 28 Jun 2001 17:22:27 -0600 (MDT)
On Thu, 28 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:



We don't allow ICMP in our out of our firewall. I have the Snort server just
inside the firewall. Every day I get TONS of countless alerts on just about
every type of ICMP packet possible that is supposedly coming in through the
firewall. How can this be? If I do a manual ping against the outside of the
firewall, I get no responses so it appears to be blocked. We also checked
the rules on the firewall, and ICMP is definitely blocked in BOTH
directions. Yet my logs are filling up with ICMP alerts. Some examples are
below. We should be seeing NO ICMP alerts, yet we are seeing ALL of these.
Can someone explain? This is a HUGE problem.


Ping and ICMP aren't the same thing, ping only accounts for two ICMP
types, and there are quite a few more (as evidenced by your examples.)
What kind of firewall do you have, and what exactly does the rule say?

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: