[Snort-sigs] Help on an ICMP rule: sid 486

Seth Art adidas30 at ...144...
Wed Aug 25 13:13:35 EDT 2004


Thanks so much alex.  The host firewall on the
sensors.  That makes perfect sence.  

Now a question about my pass rule.  It doesnt seem to
be working.  This is my first attempt at a pass rule
and ive studied other pass rules that I have found in
the archives  but nothing is working.    

In snort.conf i made to var's

var SNORT_SENSORS [192.168.200.100,192.200.101]
var VPN_POOL 192.168.216.0/24

then added my pass rule to local.rules:

pass icmp $SNORT_SENSORS any -> $VPN_POOL (msg:
"Ignore ICMP dest. Admin. Prohib"; icode:10; itype:3;
sid:999901; rev:1;)

I have tried it with any any -> any any, and also with
no sid or rev because i have seen some pass rules
without them in the archives.  Snort always loads back
up after the restart but I still get the alerts.  What
am I missing.  

Thanks again,
Seth


--- Alex Kirk <alex.kirk at ...435...> wrote:

> Seth,
> 
> You are correct in that your variables aren't really
> relevant to this 
> alert.
> 
> This alert's message is actually taken from the
> actual error type/codes 
> that go along with ICMP itself; I strongly suspect
> that, if the wording 
> isn't straight from the RFC itself, it's from page
> 71 of Steven's TCP/IP 
> Illustrated Volume 1 (which is what I used to just
> check myself with -- 
> great book for anyone interested in networking). All
> it means is that 
> there's some sort of policy/firewall/routing
> setup/whatever on the 
> subnet/IPs that the messages are dealing with that
> blocks pings. 
> Considering that it's your Snort sensor and your VPN
> pool interacting, 
> my guess is that you've either got a tightly
> configured firewall on your 
> Snort box (which would of course make sense), or
> that your VPN software 
> is sending these messages back. They're nothing to
> worry about, I'd 
> definitely go with a pass rule.
> 
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
> 
> >Hello all.  Quick question.  I get a couple of
> >thousand "ICMP Destination Unreachable
> Communication
> >with Destination Host is Administratively
> Prohibited"
> >alerts a day.  
> >
> >The source addr's are always the LAN cards on my
> snort
> >sensors and the destination addr's are only IPs
> from
> >our VPN pool.  
> >
> >Before I write a pass rule I was just wondering if
> >someone has any insight on why I am getting the
> alerts
> >and what they mean?   
> >
> >The rule is an any any ->  any any. icode:10;
> itype:3;
> > so i don't think it has to do with me fine tuning
> the
> >variables more ... right?
> >
> >It's only the one sensor that is monitoring the lan
> >side of the firewall that picks up the rules up
> even
> >tho the sources are coming from all thee linux
> box's
> >(snort database, DMZ sensor and LAN sensor.  
> >
> >
> >Thanks,
> >Seth  
> >
> >
> >		
> >__________________________________
> >Do you Yahoo!?
> >Yahoo! Mail is new and improved - Check it out!
> >http://promotions.yahoo.com/new_mail
> >
> >
>
>-------------------------------------------------------
> >SF.Net email is sponsored by Shop4tech.com-Lowest
> price on Blank Media
> >100pk Sonic DVD-R 4x for only $29 -100pk Sonic
> DVD+R for only $33
> >Save 50% off Retail on Ink & Toner - Free Shipping
> and Free Gift.
>
>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
>
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >  
> >
> 
> 
> 
>
-------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest
> price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R
> for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping
> and Free Gift.
>
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 


=====
REPLY TO:     adidas3 at ...2720...


		
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush




More information about the Snort-sigs mailing list