[Snort-users] ICMP destination unreachable

Fyodor fygrave at ...121...
Mon Jul 31 12:38:14 EDT 2000


~ :Hello there,
~ :I highly appreciate the fact that snort deals with protocols
~ :other than tcp and udp now, but I do get _LOADS_ of these. I
~ :can't quite make out why, since when I run 'netstat -an' I only
~ :get tcp connections and I can't think of any application sending
~ :out ICMP requests / pings running on that host. What it DOES run

it isn't a must that it should be an icmp ping request. it could be a
responce to UDP/TCP packet as well. ICMP unreach packet carries first 64
bytes of the original datagram, and that's where you usually see what the
responce is for. Shall we dump this information of icmp unreach. packets
as well?


On the other had ICMP unreach could be also spoofed and is usually widely
used in floodings.. 





More information about the Snort-users mailing list