Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #2758 - 10 msgs

From: Kenton Smith <ksmith () chartwelltechnology com>
Date: 05 Feb 2003 16:37:00 -0700
The confusing part about these messages is in the source and destination
addresses. The source of the message is the equipment sending back the
Unreachable message. The Destination is the machine that would have
originally sent the ICMP packet. So in this case the machines to look at
are the ones shown as destination by the Snort alert (in your case, if I
understand correctly, your web server and Snort sensor).

I think you should investigate this closely and here's why:

Script kiddie crafts malicious (or other) packets using *your* Web
Server's IP address. *He* spews the packets out and some of them hit
equipment that sends back the Unreachable message. *He's* not going to
get the return traffic; you are because he used *your* IP address in the
packet. Therefore if you can't find any evidence of your machines
sending out ICMP packets to the address listed as Source by Snort, you
may want to consider the fact that someone is spoofing your address.

Just my $0.02

Kenton Smith

On Wed, 2003-02-05 at 16:09, dennisg () northshoreagency com wrote:


I have received over 7000 "ICMP Destination Unreachable (Communication
Administratively Prohibited)" alerts in the last 6 days.  I look on
snort.org for info about this alert, but I'm still unsure if this is
something I need to worry about, and if not how can I remove this alert?

I'm run snort on a MS Windows 200 Server.


Thanks,

Dennis Gorman
Network Manager
North Shore Agency









-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: