[Snort-users] ICMP: Destination Unreachable

shawn . moyer shawn at ...1184...
Thu Apr 5 12:56:39 EDT 2001


Tom Sevy wrote:
> 
> I don't wish to stop the logging of this message, but rather would like to
> find out why I am seeing this:
> 
> Apr  4 23:59:45 snort[3164]: ICMP Destination Unreachable: 111.222.333.444
> (nt2118wk)  -> 55.66.77.88(NT401PRD)
> 
> Yet I can go to nt2118wk and ping NT401PRD and it will work.
> 
> Any thoughts on what could be causing this kind of false positive?  Or a way
> to determine what exactly on my network is giving the message back to
> nt2118wk about destination unreachable?

Is the 111.222.333.444 box 55.66.77.88's gateway? Possibly it has a bad
route and is trying to send to a host that the other box can't route to.
If you run tcpdump for a bit on the box you should see the whole
message, which should look like:

icmp dest unreachable for <blah>

You should then be able to investigate why 55.66.77.88 is trying to send
traffic to <blah>.



--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner




More information about the Snort-users mailing list