RE: ICMP Destination Unreachable

["Dennis Gorman" <dennisg () northshoreagency com>]

So you are saying that the connections that are causing this alert are being
started by a system on my network?

The destinations are my snort box and my web server.  There are also 14
different sources.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kenneth G.
Arnold
Sent: Wednesday, February 05, 2003 4:14 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ICMP Destination Unreachable


I have been tracking down some of them myself recently. Someone in your
network has attempted to connect to a location within someone else's
network that a device in their network will not allow.  That device returns
this icmp packet to tell you this.  The destination of the icmp packet is
the ip address within your network that tried to access the forbidden
location.

Now the tough part of this is to determine what the person at the
destination IP address within your network did to provoke this.  Snort may
or may not have caught it depending on your settings and the type of
activity.  I go to my firewall logs and grep for all the activity of the
user in my network.  Then I look through that information for the date and
time of the icmp packets and try to determine what the user was doing to
provoke the icmp packets and if that activity is something I want to
happen.  The one I discovered today was 294 ICMP Destination Unreachable
(Communication with Destination Network is Administratively Prohibited)
caused by a user within our network doing a UDP portscan on their
network.  The portscan probably tried to connect to locations that were
blocked in their network.
Ken Arnold

At 03:45 PM 2/5/03 -0500, Dennis Gorman wrote:
> I have received over 7000 "ICMP Destination Unreachable (Communication
> Administratively Prohibited)" alerts in the last 6 days.  I look on
> snort.org for info about this alert, but I'm still unsure if this is
> something I need to worry about, and if not how can I remove this alert?
>
> I'm run snort on a MS Windows 200 Server.
>
>
> Thanks,
>
> Dennis Gorman
> Network Manager
> North Shore Agency
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users