[Snort-users] ICMP Time Exceeded

Brian Caswell bmc at ...312...
Wed Jan 31 15:17:00 EST 2001

Sakshale Equorian wrote:
> Since I upgraded the my rule sets to the ones
> on sourceforge, I am getting buried with these
> messages.
> [**] ICMP Time Exceeded [**]
> 01/31-01:39:15.065695 REMOTE-HOST -> LOCAL-HOST
> ICMP TTL:245 TOS:0xC0 ID:42205 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 00 00 00 00 45 00 00 4C 47 BF 00 00 01 11 E1 AC
> ....E..LG.......
> C0 56 06 08 C0 D8 08 FF 09 ED 00 7B 00 38 73 A5
> .V.........{.8s.
> The thing that concerns/confuses me is that the local
> host is our VPN gateway, while the remote host has a
> bbnplanet address, which is not on our list of VPN
> clients.

Right now a HUGE number of the default rules are information rules
only.  ICMP Time Exceeded packets DO happen in normal traffic.  The
current full snort rules is currently being cleaned up to remove rules
that are silly for normal production enviorments.  If you can't wait for
a "cleaned up" version of the snort ruleset (and can't do it yourself),
I would suggest using Max Vision's ruleset for now.

NOTE: The rules are actively being updated, and a clean ruleset should
be available soon (so says Jim F.)


More information about the Snort-users mailing list