[Snort-users] ICMP Unreachable IP short header

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Mon Jun 11 13:38:35 EDT 2001


On Mon, Jun 11, 2001 at 08:37:05AM -0600, Phil Wood wrote:

> > Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)
> > Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)
> 
> If you run with '-b', use tcpdump -x to find the icmp messages for that time
> period.  An ICMP unreachable message is sent back to the source of the packet
> which requested something unreachable.  Like a destination port or address.
> (That feature is used in traceroute which sends packets to hopefully 
> non-existant ports on a system.  When the sender gets back an ICMP port
> unreachable, it knows it has reached the destination).  Snort does some
> validation on the data in the icmp unreachable which should be the IP header
> of the offending packet (minimum of 20 bytes) and 64bits of "data"
> (usually enough to identify what ports are involved for tcp or udp packets).
> In your case some system, with a marginal IP stack, is sending back crap.
> Then again, it could be some program trying to cause trouble for anyone
> listening to these things. %^)

Nothing is logged, since no alert or log rule was triggered:

06/10-18:34:45.726287  [**] IDS239/pcanywhere-start [**] 134.169.73.43:2210 -> 134.169.69.242:5632
06/10-18:54:58.051610  [**] IDS239/pcanywhere-start [**] 134.169.73.43:3840 -> 134.169.69.205:5632
06/10-21:41:59.707592  [**] WEB-IIS .cnf access [**] 212.144.234.103:1126 -> 134.169.69.226:80
06/11-03:47:41.732398  [**] IDS221/http-cgi-finger [**] 206.101.206.11:1592 -> 134.169.69.226:80

-- 
ralf.hildebrandt at ...821...                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77





More information about the Snort-users mailing list