Snort mailing list archives
Re: Snort-users digest, Vol 1 #2758 - 10 msgs
From: Kenton Smith <ksmith () chartwelltechnology com>
Date: 05 Feb 2003 16:37:00 -0700
The confusing part about these messages is in the source and destination addresses. The source of the message is the equipment sending back the Unreachable message. The Destination is the machine that would have originally sent the ICMP packet. So in this case the machines to look at are the ones shown as destination by the Snort alert (in your case, if I understand correctly, your web server and Snort sensor). I think you should investigate this closely and here's why: Script kiddie crafts malicious (or other) packets using *your* Web Server's IP address. *He* spews the packets out and some of them hit equipment that sends back the Unreachable message. *He's* not going to get the return traffic; you are because he used *your* IP address in the packet. Therefore if you can't find any evidence of your machines sending out ICMP packets to the address listed as Source by Snort, you may want to consider the fact that someone is spoofing your address. Just my $0.02 Kenton Smith On Wed, 2003-02-05 at 16:09, dennisg () northshoreagency com wrote:
I have received over 7000 "ICMP Destination Unreachable (Communication Administratively Prohibited)" alerts in the last 6 days. I look on snort.org for info about this alert, but I'm still unsure if this is something I need to worry about, and if not how can I remove this alert? I'm run snort on a MS Windows 200 Server. Thanks, Dennis Gorman Network Manager North Shore Agency
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #2758 - 10 msgs Kenton Smith (Feb 05)