Re: ICMP Destination Unreachable

[Erek Adams <erek () snort org>]

On Sat, 8 Mar 2003, [iso-8859-1] Always Bishan wrote:

> alert:ICMP Destination Unreachable (Communication
> Administratively Prohibited)
>
> source:12.125.75.126   source port:42491
>
> destination:192.168.0.4    destination port:8403
>
> protocol:ICMP
>
> 1) how can I know about this alert? what does it mean

I'd suggest doing some actual research on this.  If you use a Google
search [0], you might be supprised at what you can find out about 'ICMP
Destinantion Unreachable' there...

> 2) what does these port nos. suggest ?

Check a ports database [1].  Check the packet.  What is the machine doing?
Why is it doing it?

> 3) is it a false alert ?

We don't know.  You tell us.  :)  Was that the info from the 'Original
Datagram Dump'?  If so, looks like 12.125.75.126 send an icmp packet to
192.168.0.4.  What was the orignial type and code?

> Please do help :)

Yes, we try.

If you haven't, you might want to read this [2].  It's a fairly handy
guide of things _not_ to do on Snort-users.  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://tinyurl.com/73i9
[1]     http://www.snort.org/ports.html
[2]     http://www.theadamsfamily.net/~erek/snort/drinking_game.txt


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users