Snort mailing list archives
Re: Does ICMP detection work or what?
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 28 Jun 2001 17:22:27 -0600 (MDT)
On Thu, 28 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
We don't allow ICMP in our out of our firewall. I have the Snort server just inside the firewall. Every day I get TONS of countless alerts on just about every type of ICMP packet possible that is supposedly coming in through the firewall. How can this be? If I do a manual ping against the outside of the firewall, I get no responses so it appears to be blocked. We also checked the rules on the firewall, and ICMP is definitely blocked in BOTH directions. Yet my logs are filling up with ICMP alerts. Some examples are below. We should be seeing NO ICMP alerts, yet we are seeing ALL of these. Can someone explain? This is a HUGE problem.
Ping and ICMP aren't the same thing, ping only accounts for two ICMP types, and there are quite a few more (as evidenced by your examples.) What kind of firewall do you have, and what exactly does the rule say? Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does ICMP detection work or what? Sheahan, Paul (PCLN-NW) (Jun 28)
- Re: Does ICMP detection work or what? Ryan Russell (Jun 28)
- Re: Does ICMP detection work or what? François Désarménien (Jun 29)
- Re: Does ICMP detection work or what? Dragos Ruiu (Jun 29)
- Re: Does ICMP detection work or what? François Désarménien (Jun 29)
- Re: Does ICMP detection work or what? Ryan Russell (Jun 28)