RE: [!] WARNING: Truncated ICMP-UNREACH header (9 bytes)

["Stephen C Burns" <sburns () farpointer net>]

Thank you,

Is there any particular reason why this would be considered an event to
be "alerted" over?  I assume that if there were, it would be some type
of DoS, but I am unaware of any that would use such construction.  Thank
you for your response(s) -

-----Original Message-----
From: Fyodor [mailto:fygrave () tigerteam net] 
Sent: Thursday, July 05, 2001 2:23 PM
To: Stephen C Burns
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] [!] WARNING: Truncated ICMP-UNREACH header (9
bytes)


On Thu, Jul 05, 2001 at 01:42:26PM -0500, Stephen C Burns wrote:
> Hey all,
>
> I am running Snort v1.7 on a Linux machine running the 2.4.5 kernel on

> an IP-based network.  I receive the following message in my syslog-ng 
> and my Snort "alerts" file.  A tcpdump on the binary formatted capture

> file reveals nothing!  Any clues?  Snort rocks.
>
> Thanks all!
>
> [!] WARNING: Truncated ICMP-UNREACH header (9 bytes)

According to rfc icmp unreach packet should be: ip header (20 bytes or
more) + 8 bytes (icmp hader) + 64 bits (8 bytes) original datagram. In
your case instead of last 16 bytes there were only 9 (8 -- icmp header +
1 byte of original datagram?)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users