RE: ICMP Destination Unreachable

["Kenneth G. Arnold" <bkarnold () cbu edu>]

Actually, I think the sources of the icmps are outside his network and the 
destinations, of which there are only two, are the machines that he should 
be investigating.
Ken

At 02:27 PM 2/5/03 -0800, twig les wrote:
> So wait a sec.  You have over a thousand alerts a day for almost a week 
> and there are only 14
> sources?  All internal?  I would run, not walk, to those machines and find 
> out what in the name of
> Zeus they are trying to connect to.
>
>
> --- Dennis Gorman <dennisg () northshoreagency com> wrote:
> > So you are saying that the connections that are causing this alert are 
> being
> > started by a system on my network?
> >
> > The destinations are my snort box and my web server.  There are also 14
> > different sources.
> >
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kenneth G.
> > Arnold
> > Sent: Wednesday, February 05, 2003 4:14 PM
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] ICMP Destination Unreachable
> >
> >
> > I have been tracking down some of them myself recently. Someone in your
> > network has attempted to connect to a location within someone else's
> > network that a device in their network will not allow.  That device returns
> > this icmp packet to tell you this.  The destination of the icmp packet is
> > the ip address within your network that tried to access the forbidden
> > location.
> >
> > Now the tough part of this is to determine what the person at the
> > destination IP address within your network did to provoke this.  Snort may
> > or may not have caught it depending on your settings and the type of
> > activity.  I go to my firewall logs and grep for all the activity of the
> > user in my network.  Then I look through that information for the date and
> > time of the icmp packets and try to determine what the user was doing to
> > provoke the icmp packets and if that activity is something I want to
> > happen.  The one I discovered today was 294 ICMP Destination Unreachable
> > (Communication with Destination Network is Administratively Prohibited)
> > caused by a user within our network doing a UDP portscan on their
> > network.  The portscan probably tried to connect to locations that were
> > blocked in their network.
> > Ken Arnold
> >
> > At 03:45 PM 2/5/03 -0500, Dennis Gorman wrote:
> > >I have received over 7000 "ICMP Destination Unreachable (Communication
> > >Administratively Prohibited)" alerts in the last 6 days.  I look on
> > >snort.org for info about this alert, but I'm still unsure if this is
> > >something I need to worry about, and if not how can I remove this alert?
> > >
> > >I'm run snort on a MS Windows 200 Server.
> > >
> > >
> > >Thanks,
> > >
> > >Dennis Gorman
> > >Network Manager
> > >North Shore Agency



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users