[Snort-users] ICMP Unreachable IP short header

Phil Wood cpw at ...440...
Mon Jun 11 10:37:05 EDT 2001


On Mon, Jun 11, 2001 at 10:04:47AM +0200, Ralf Hildebrandt wrote:
> 
> Hi!
> 
> Could somebody enlighten me what this is all about:
> 
> Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)
> Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)

If you run with '-b', use tcpdump -x to find the icmp messages for that time
period.  An ICMP unreachable message is sent back to the source of the packet
which requested something unreachable.  Like a destination port or address.
(That feature is used in traceroute which sends packets to hopefully 
non-existant ports on a system.  When the sender gets back an ICMP port
unreachable, it knows it has reached the destination).  Snort does some
validation on the data in the icmp unreachable which should be the IP header
of the offending packet (minimum of 20 bytes) and 64bits of "data"
(usually enough to identify what ports are involved for tcp or udp packets).
In your case some system, with a marginal IP stack, is sending back crap.
Then again, it could be some program trying to cause trouble for anyone
listening to these things. %^)

> 
> I keep seeing that about twice a day, each day. And I think it is time
> to find out what is causing this...
> 
> -- 
> ralf.hildebrandt at ...821...                            innominate AG
> Technical Consultant                   Don't be afraid of what you see -
> Diplom-Informatiker                     be afraid of what you don't see!
> tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list