[Snort-sigs] Help on an ICMP rule: sid 486
alex.kirk at ...435...
Wed Aug 25 10:54:02 EDT 2004
You are correct in that your variables aren't really relevant to this
This alert's message is actually taken from the actual error type/codes
that go along with ICMP itself; I strongly suspect that, if the wording
isn't straight from the RFC itself, it's from page 71 of Steven's TCP/IP
Illustrated Volume 1 (which is what I used to just check myself with --
great book for anyone interested in networking). All it means is that
there's some sort of policy/firewall/routing setup/whatever on the
subnet/IPs that the messages are dealing with that blocks pings.
Considering that it's your Snort sensor and your VPN pool interacting,
my guess is that you've either got a tightly configured firewall on your
Snort box (which would of course make sense), or that your VPN software
is sending these messages back. They're nothing to worry about, I'd
definitely go with a pass rule.
>Hello all. Quick question. I get a couple of
>thousand "ICMP Destination Unreachable Communication
>with Destination Host is Administratively Prohibited"
>alerts a day.
>The source addr's are always the LAN cards on my snort
>sensors and the destination addr's are only IPs from
>our VPN pool.
>Before I write a pass rule I was just wondering if
>someone has any insight on why I am getting the alerts
>and what they mean?
>The rule is an any any -> any any. icode:10; itype:3;
> so i don't think it has to do with me fine tuning the
>variables more ... right?
>It's only the one sensor that is monitoring the lan
>side of the firewall that picks up the rules up even
>tho the sources are coming from all thee linux box's
>(snort database, DMZ sensor and LAN sensor.
>Do you Yahoo!?
>Yahoo! Mail is new and improved - Check it out!
>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs