[Snort-users] ICMP: Destination Unreachable

Tom Sevy tsevy at ...1701...
Thu Apr 5 13:28:28 EDT 2001


No.  nt2118wk (111.222.333.444) is running What's Up Gold to simply monitor
& alert on up/down status of hosts (including 55.66.77.88).

-----Original Message-----
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: Thursday, April 05, 2001 12:57 PM
To: Tom Sevy
Cc: Snort Users (E-mail)
Subject: Re: [Snort-users] ICMP: Destination Unreachable


Tom Sevy wrote:
> 
> I don't wish to stop the logging of this message, but rather would like to
> find out why I am seeing this:
> 
> Apr  4 23:59:45 snort[3164]: ICMP Destination Unreachable: 111.222.333.444
> (nt2118wk)  -> 55.66.77.88(NT401PRD)
> 
> Yet I can go to nt2118wk and ping NT401PRD and it will work.
> 
> Any thoughts on what could be causing this kind of false positive?  Or a
way
> to determine what exactly on my network is giving the message back to
> nt2118wk about destination unreachable?

Is the 111.222.333.444 box 55.66.77.88's gateway? Possibly it has a bad
route and is trying to send to a host that the other box can't route to.
If you run tcpdump for a bit on the box you should see the whole
message, which should look like:

icmp dest unreachable for <blah>

You should then be able to investigate why 55.66.77.88 is trying to send
traffic to <blah>.



--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list