Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP rule not behaving as expected

From: "Tobias Rice" <rice () up edu>
Date: Mon, 7 Apr 2003 10:27:35 -0700
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmmm. I'll take a stab...
Try this:

pass icmp [my.home.net.0/24,offending.box.external.net] any -> $HOME_NET any (msg:"ICMP Destination \
    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
    activity; rev:4;)


Put this in your local.rules file and start snort with the -o option.
Let us know how it works.
Tobias

- -----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Neil 
Dickey
Sent: Monday, April 07, 2003 10:18 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] ICMP rule not behaving as expected

I've checked list traffic since 2.0.0rc1 came out and haven't seen any
discussion of this.  I apologize if I missed anything, on the list or
in the manual.

The problem:  Windows boxes in my home net are UDP scanning for shares
on ports 137 and 138.  One of the university administrative machines
has its firewall set to block these, so I get "Destination Unreachable,
Port Unreachable" errors -- lots of them.  These entries are flooding
the log and reducing its usefulness.  Here is a sample from my alert
log:

  [**] [1:407:4] ICMP Destination Unreachable (Undefined Code!) [**]
  [Classification: Misc activity] [Priority: 3] 
  04/07-12:01:09.041982 0:2:33:44:55:6 -> 0:9:88:77:66:55 type:0x800 len:0x78
  offending.box.external.net -> my.home.net.99 ICMP TTL:252 TOS:0x0 ID:32283 IpLen:20 DgmLen:106 DF
  Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
  ** ORIGINAL DATAGRAM DUMP:
  my.home.net.99:137 -> offending.box.26.3:137 UDP TTL:125 TOS:0x0 ID:25359 IpLen:20 DgmLen:78 Len: 50
  ** END OF DUMP


What I would like to do is configure the Snort rule such that ICMP DU
packets from the offending box would be ignored, along with any such
packets from my home net, but I haven't been able to get it to work.

Here's what I tried first:

  In snort.conf I put the line ...
  
    var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
  
  ... and edited the rule in icmp-info.rules like this:

    alert icmp !$ICMP_AVOID any -> $HOME_NET any (msg:"ICMP Destination \
    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
    activity; rev:4;)

Snort starts and runs fine with this setup, but the ICMP packets from
"offending.box.external.net" continue to be logged.  I next tried:

  In snort.conf ...
  
    var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
    var ICMP_NET !$ICMP_AVOID
  
  ... and changed the rule in icmp-info.rules to this form:
  
    alert icmp $ICMP_NET any -> $HOME_NET any (msg:"ICMP Destination \
    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
    activity; rev:4;)

None of the rules shipped with Snort use "!" and I thought to remove it
from the rules file and see if that helped.  It didn't, and the logs are
still getting packed.

Am I missing something obvious?  Have I found a bug, or is it something
else?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




- -------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpG1B8NinOuDXR1bEQIVnQCeM4xl4uG9biOJGwl0fLGi0yzkDlUAn0NM
APPF7YvJpEui26hB1GFVUaVX
=J6Yl
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: