Snort mailing list archives
Re: icmp
From: "Peter VE" <peter.ve () pandora be>
Date: Thu, 15 Nov 2001 01:00:34 +0100
ok, thanks for the xplanation other question : My server (connected to the internet) has 2 NIC's 1 nic connected to cable modem 1 nic connected to LAN server is running BlackICE I installed snort on this server (Win2K) should I let it listen on the internal interface, or on the external interface (but for some reason BlackICe doesn't work anymore... I guess snort is handling all traffic)... thanks again ----- Original Message ----- From: "Ryan Russell" <ryan () securityfocus com> To: "Peter VE" <peter.ve () pandora be> Cc: <snort-users () lists sourceforge net> Sent: Thursday, November 15, 2001 12:44 AM Subject: Re: [Snort-users] icmp
On Wed, 14 Nov 2001, Peter VE wrote:All I wanted to achieve is to fool the remote users, letting them
believe my
host is unreachable for icmp traffic...Normal behavior for ICMP to a host that doesn't allow it is no response. Think about it: If you try to ping something that isn't there, you get no response. In your case, if someone tries to ping you, they don't get the echo reply (or maybe they do, depending on how you've got things configured), but they get an ICMP unreachable. The fact that they get the unreachable tells them there IS a host there, and that something really strange is up with it. Also note that IP specifies that ICMP error messages are not responded to, lest there be infinite loops of ICMP messages. Ryan
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users