Re: ICMP Destination Unreachable

[Matt Kettler <mkettler () evi-inc com>]

1) this means that a router or firewall refused to allow a packet to pass 
through it, and chose to send notice back to the source that it's traffic 
was refused.

2) 8403 is the admind port, which allows remote administration of a server, 
but is known to have lots of weaknesses and is commonly attacked. It would 
make sense for a network to block traffic incoming traffic from the 
internet attempting to connect to admind on a local machine.

3) no, it's not a false alert, but it's not always cause for alarm either, 
it's an informational thing.

In general in response to this alert you should ask yourself "why were 
these two machines trying to talk in a matter that a firewall did not 
allow?". If it seems highly unreasonable for those two machines to be 
talking, then I might be concerned. As an example scenario I often see 
these come back to my mailserver when it attempts to do an ident check on 
other servers delivering mail to it. Many networks refuse inbound ident 
requests.

In this case, the traffic was to admind. If the source is a machine you 
control, you should be seriously checking it over unless you had a good 
reason to be attempting to administer the target machine. If instead the 
target machine is the one you control, I'd not be too worried. Someone was 
probably probing your network for weakness and your firewall blocked them. 
Very common.


At 11:46 AM 3/8/2003 +0000, Always Bishan wrote:
> hi
>
> alert:ICMP Destination Unreachable (Communication
> Administratively Prohibited)
>
> source:12.125.75.126   source port:42491
>
> destination:192.168.0.4    destination port:8403
>
> protocol:ICMP
>
> 1) how can I know about this alert? what does it mean
> ?
>
> 2) what does these port nos. suggest ?
>
> 3) is it a false alert ?
>
> Please do help :)
>
> regards,
> Bishan
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
> for complex code. Debugging C/C++ programs can leave you feeling lost and
> disoriented. TotalView can help you find your way. Available on major UNIX
> and Linux platforms. Try it free. www.etnus.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users