RE: ICMP Destination Unreachable

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

> Hello! I need your help. Could you replay to this address if you'll
> replay today or to fra.mila () tiscalinet it il you'll replay tomorrow?
> I used Snort; but I don't understand why I found only messages like
> these:

Folks here subscribe to the list, post to the list, and reply to the list.  Just a general observation...
 
> ICMP Destination Unreachable (Communication with Destintation Host in
> Administratively Prohibited)
> from an external IP to an IP of my home-net

A host on your network tried to contact a host on an external network (likely using ICMP), and an intermediate device 
has an access control list in place that prevents this type of communication.  These rules tend to go off a lot on 
networks with ICMP-heavy apps or operating systems.  

> The rule is in "icmp.rules" and it's:
> alert icmp any any -> any any (msg:"ICMP Destination
> Unreachable(Communication Administratively Prohibited)".......)
>
> why they put "any any -> any any" ?

I think that the ICMP rules are, in general, more useful for troubleshooting and information gathering than intrusion 
detection.  Just my opinion.  However, if you're using them for intrusion detection, you probably want them written 
this way (any any -> any any).  ICMP is stateless, and responses can be elicited via a number of methods.  In addition, 
if you are on a relatively "closed" segment, these types of messages will often be the first indicator of malicious 
activity, specifically in the form of illegal listeners, rogue services, etc. 
 
> are these messages important? what would you say about them?
> is it possible I find ONLY these messages (an "alert" in 
> /var/log/snort/
> of 2 GB in 24 hours with ONLY messages like these)?

I would say that you need to look at these in the context of the network from which they are being generated.  Some 
networks generate tons of these during normal activity (although I would suggest that the architecture is flaky).  If 
you have this many of them, I would tend to believe that it's "normal."  However, I wouldn't rule anything out until 
you do some ACL searching and try to re-create some of the events.

Cheers

Keith


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users