[Snort-users] ICMP: Destination Unreachable

Roeland Weve roeland at ...1415...
Thu Apr 5 10:25:28 EDT 2001


That depends on which rules you're using.
But search the info.rules file if you are using snort .rules files and
uncomment the rule (and restart snort)

Go to the dir where you're rules are saved and grep:
[bash]# grep 'ICMP Destination Unreachable' * -in | less
that gives the exact warning and you'll find the rule (in this case a
lot):

info.rules:13:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Host Precedence Violation)"; itype: 3; icode: 14;) 
info.rules:14:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Precedence Cutoff in effect)"; itype: 3; icode: 15;) 
info.rules:15:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Undefined Code!)"; itype: 3;) 
info.rules:22:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Communication Administratively Prohibited)"; itype: 3;
icode: 13;) 
info.rules:24:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Source Host Isolated)"; itype: 3; icode: 8;) 
info.rules:30:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Port Unreachable)"; itype: 3; icode: 3;) 
info.rules:37:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Network Unreachable)"; itype: 3; icode: 0;) 
info.rules:38:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Communication with Destination Host is Administratively
Prohibited)"; itype: 3; icode: 10;) 
info.rules:39:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Protocol Unreachable)"; itype: 3; icode: 2;) 
info.rules:40:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Host Unreachable for Type of Service)"; itype: 3; icode:
12;) 
info.rules:41:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Fragmentation Needed and DF bit was set)"; itype: 3;
icode:4;) 
info.rules:42:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Source Route Failed)"; itype: 3; icode: 5;) 
info.rules:43:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Destination Network Unknown)"; itype: 3; icode: 6;) 
info.rules:44:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Destination Host Unknown)"; itype: 3; icode: 7;) 
info.rules:46:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Communication with Destination Network is Administratively
Prohibited)"; itype: 3; icode: 9;) 
info.rules:48:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Network Unreachable for Type of Service)"; itype: 3;
icode:11;) 
info.rules:49:alert icmp any any -> any any (msg:"ICMP Destination
Unreachable (Host Unreachable)"; itype: 3; icode: 1;) 

edit the info.rules file and go to the line and uncomment it (#) !

Roeland

> 
> How can I stop this logging event. 90% of my log entries are of this type
> and I would like to stop snort logging this event.
> 
> regards
> jrlee
> Dallas Design Systems
> Makers of Office Inventory Manager and Golf Stat Pro
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list