[Snort-sigs] Help on an ICMP rule: sid 486

Seth Art adidas30 at ...144...
Wed Aug 25 09:47:01 EDT 2004


Hello all.  Quick question.  I get a couple of
thousand "ICMP Destination Unreachable Communication
with Destination Host is Administratively Prohibited"
alerts a day.  

The source addr's are always the LAN cards on my snort
sensors and the destination addr's are only IPs from
our VPN pool.  

Before I write a pass rule I was just wondering if
someone has any insight on why I am getting the alerts
and what they mean?   

The rule is an any any ->  any any. icode:10; itype:3;
 so i don't think it has to do with me fine tuning the
variables more ... right?

It's only the one sensor that is monitoring the lan
side of the firewall that picks up the rules up even
tho the sources are coming from all thee linux box's
(snort database, DMZ sensor and LAN sensor.  


Thanks,
Seth  


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list