[Snort-sigs] Help on an ICMP rule: sid 486

Ben Dugdale ben.dugdale at ...2751...
Fri Aug 27 11:25:02 EDT 2004


Maybe I'm behind the times ( 2.2.0 ), but I'm kind of liking
thresholds.conf for tasks like this.


On Wed, 2004-08-25 at 13:12, Seth Art wrote:
> Thanks so much alex.  The host firewall on the
> sensors.  That makes perfect sence.  
> 
> Now a question about my pass rule.  It doesnt seem to
> be working.  This is my first attempt at a pass rule
> and ive studied other pass rules that I have found in
> the archives  but nothing is working.    
> 
> In snort.conf i made to var's
> 
> var SNORT_SENSORS [192.168.200.100,192.200.101]
> var VPN_POOL 192.168.216.0/24
> 
> then added my pass rule to local.rules:
> 
> pass icmp $SNORT_SENSORS any -> $VPN_POOL (msg:
> "Ignore ICMP dest. Admin. Prohib"; icode:10; itype:3;
> sid:999901; rev:1;)
> 
> I have tried it with any any -> any any, and also with
> no sid or rev because i have seen some pass rules
> without them in the archives.  Snort always loads back
> up after the restart but I still get the alerts.  What
> am I missing.  
> 
> Thanks again,
> Seth
> 
> 
> --- Alex Kirk <alex.kirk at ...435...> wrote:
> 
> > Seth,
> > 
> > You are correct in that your variables aren't really
> > relevant to this 
> > alert.
> > 
> > This alert's message is actually taken from the
> > actual error type/codes 
> > that go along with ICMP itself; I strongly suspect
> > that, if the wording 
> > isn't straight from the RFC itself, it's from page
> > 71 of Steven's TCP/IP 
> > Illustrated Volume 1 (which is what I used to just
> > check myself with -- 
> > great book for anyone interested in networking). All
> > it means is that 
> > there's some sort of policy/firewall/routing
> > setup/whatever on the 
> > subnet/IPs that the messages are dealing with that
> > blocks pings. 
> > Considering that it's your Snort sensor and your VPN
> > pool interacting, 
> > my guess is that you've either got a tightly
> > configured firewall on your 
> > Snort box (which would of course make sense), or
> > that your VPN software 
> > is sending these messages back. They're nothing to
> > worry about, I'd 
> > definitely go with a pass rule.
> > 
> > Alex Kirk
> > Research Analyst
> > Sourcefire, Inc.
> > 
> > >Hello all.  Quick question.  I get a couple of
> > >thousand "ICMP Destination Unreachable
> > Communication
> > >with Destination Host is Administratively
> > Prohibited"
> > >alerts a day.  
> > >
> > >The source addr's are always the LAN cards on my
> > snort
> > >sensors and the destination addr's are only IPs
> > from
> > >our VPN pool.  
> > >
> > >Before I write a pass rule I was just wondering if
> > >someone has any insight on why I am getting the
> > alerts
> > >and what they mean?   
> > >
> > >The rule is an any any ->  any any. icode:10;
> > itype:3;
> > > so i don't think it has to do with me fine tuning
> > the
> > >variables more ... right?
> > >
> > >It's only the one sensor that is monitoring the lan
> > >side of the firewall that picks up the rules up
> > even
> > >tho the sources are coming from all thee linux
> > box's
> > >(snort database, DMZ sensor and LAN sensor.  
> > >
> > >
> > >Thanks,
> > >Seth  
> > >
> > >
> > >		
> > >__________________________________
> > >Do you Yahoo!?
> > >Yahoo! Mail is new and improved - Check it out!
> > >http://promotions.yahoo.com/new_mail
> > >
> > >
> >
> >-------------------------------------------------------
> > >SF.Net email is sponsored by Shop4tech.com-Lowest
> > price on Blank Media
> > >100pk Sonic DVD-R 4x for only $29 -100pk Sonic
> > DVD+R for only $33
> > >Save 50% off Retail on Ink & Toner - Free Shipping
> > and Free Gift.
> >
> >http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> > >_______________________________________________
> > >Snort-sigs mailing list
> > >Snort-sigs at lists.sourceforge.net
> >
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >  
> > >
> > 
> > 
> > 
> >
> -------------------------------------------------------
> > SF.Net email is sponsored by Shop4tech.com-Lowest
> > price on Blank Media
> > 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R
> > for only $33
> > Save 50% off Retail on Ink & Toner - Free Shipping
> > and Free Gift.
> >
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> >
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > 
> 
> 
> =====
> REPLY TO:     adidas3 at ...2720...
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Win 1 of 4,000 free domain names from Yahoo! Enter now.
> http://promotions.yahoo.com/goldrush
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list