Re: ICMP Destination Unreachable

[Matt Kettler <mkettler () evi-inc com>]

These packets are *extremely* common and very ordinary. There are a wide 
variety of ICMP destination unreachable packets and they are all used to 
signal that an IP packet did not reach it's destination for some reason or 
another. In this case, the message indicates that a packet reached the 
destination machine, but the machine was not listening for data on that 
port. This generaly only occurs for UDP traffic, since TCP would emit a RST 
instead. Very common when a client machine gives up on a DNS query, and the 
server winds up answering some time later anyway, among other sources.

AFAIK they only exist in snort to provide extra data to analyze traffic 
surrounding a real attack. That's why the classification is "misc 
activity", and not something bad.




At 11:36 AM 4/9/2002 -0700, Tony Wong wrote:

> I don t know why I am getting a ton of these in alert log
>
>
>
>
>
> ICMP Destination Unreachable (Port Unreachable) [**] [Classification: Misc 
> activity] [Priority: 3] {ICMP}


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users