Snort mailing list archives

Re: ICMP Unreachable IP short header

From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Mon, 11 Jun 2001 19:38:35 +0200

On Mon, Jun 11, 2001 at 08:37:05AM -0600, Phil Wood wrote:

Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)
Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)


If you run with '-b', use tcpdump -x to find the icmp messages for that time
period.  An ICMP unreachable message is sent back to the source of the packet
which requested something unreachable.  Like a destination port or address.
(That feature is used in traceroute which sends packets to hopefully 
non-existant ports on a system.  When the sender gets back an ICMP port
unreachable, it knows it has reached the destination).  Snort does some
validation on the data in the icmp unreachable which should be the IP header
of the offending packet (minimum of 20 bytes) and 64bits of "data"
(usually enough to identify what ports are involved for tcp or udp packets).
In your case some system, with a marginal IP stack, is sending back crap.
Then again, it could be some program trying to cause trouble for anyone
listening to these things. %^)


Nothing is logged, since no alert or log rule was triggered:

06/10-18:34:45.726287  [**] IDS239/pcanywhere-start [**] 134.169.73.43:2210 -> 134.169.69.242:5632
06/10-18:54:58.051610  [**] IDS239/pcanywhere-start [**] 134.169.73.43:3840 -> 134.169.69.205:5632
06/10-21:41:59.707592  [**] WEB-IIS .cnf access [**] 212.144.234.103:1126 -> 134.169.69.226:80
06/11-03:47:41.732398  [**] IDS221/http-cgi-finger [**] 206.101.206.11:1592 -> 134.169.69.226:80

-- 
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- Re: ICMP Unreachable IP short header Phil Wood (Jun 11)
  - Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- RE: ICMP Unreachable IP short header Ofir Arkin (Jun 11)
  - Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- <Possible follow-ups>
- Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 12)