[Snort-users] ICMP destination unreachable

Jan Muenther jan at ...206...
Mon Jul 31 12:15:21 EDT 2000


Hello there,
I highly appreciate the fact that snort deals with protocols
other than tcp and udp now, but I do get _LOADS_ of these. I
can't quite make out why, since when I run 'netstat -an' I only
get tcp connections and I can't think of any application sending
out ICMP requests / pings running on that host. What it DOES run
is the TIS firewall toolkit - could that cause such a thing...???
I am slightly clueless at the moment.

A few logs here:

[**] ICMP Destination Unreachable [**]
07/31-15:17:02.759905 216.7.144.11 -> xx.xxx.x.xxx
ICMP TTL:47 TOS:0x0 ID:4665 
DESTINATION UNREACHABLE: HOST UNREACHABLE

[**] ICMP Destination Unreachable [**]
07/31-15:21:18.826804 216.7.144.11 -> xx.xxx.x.xxx
ICMP TTL:47 TOS:0x0 ID:9896 
DESTINATION UNREACHABLE: HOST UNREACHABLE

So, my host is xx.xxx.x.xxx... am I being pinged from outside and
snort notices my host doesn't answer...?

and inbetween we have this one....

[**] IDS246 - MISC - Large ICMP Packet [**]
07/31-15:29:20.549984 194.76.232.129 -> xx.xxx.x.xxx
ICMP TTL:241 TOS:0x0 ID:57409  DF
ID:48282   Seq:61662  ECHO

[**] ICMP Destination Unreachable [**]
07/31-15:41:37.998034 xx.xxx.x.xxx -> 194.221.121.196
ICMP TTL:64 TOS:0xC0 ID:29625 
DESTINATION UNREACHABLE: PORT UNREACHABLE

[**] ICMP Destination Unreachable [**]
07/31-15:41:40.080362 xx.xxx.x.xxx -> 194.221.121.196
ICMP TTL:64 TOS:0xC0 ID:29773 
DESTINATION UNREACHABLE: PORT UNREACHABLE

This is what really bewilders me. Am I getting this right: My
host is sending out ICMP packets which can't reach their
destination...???

Confused,
Jan
-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...




More information about the Snort-users mailing list