[Snort-users] ICMP false possitives...

Ofir Arkin ofir at ...949...
Thu Jun 14 03:13:48 EDT 2001

Filter the traffic that comes to/from your network guys and from the DNS
server you are using...
Don't just erase the rule. Unreachables are VERY important.

More informaiton you can find from my research paper "ICMP Usage In
Scanning" available from:

The file size is ~ 1.75mb when zipped

The file size is ~ 5.39mb.

Look at the individual Unreachable error messages.
They can also be used for D.O.S., covert channels and other security

Just my opinion.


Ofir Arkin [ofir at ...949...]
The Sys-Security Group
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paulie
Sent: Tuesday, June 12, 2001 9:13 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ICMP false possitives...


I run a fair sized home network.  It is used mostly for personal purposes
and providing certain services to a small community of friends and fellow
network professionals.

My problem is, having installed ACID I am logging HUGE numbers of ICMP
destination unreachables and MISC large ICMP packets.  I mean LOTS.  I
generate like 5-10,000/day.  I have examined a random sampling of these
and they all appear to be benign.  Many seem to be generated by analog,
the web log analyzer we use that generates alot of collateral traffic as it
runs through the logs (lotso DNS and the like).  Lots of the large ICMP
packets are generated by folks in network operations that use the server
to troubleshoot network issues from outside thier network.  When I boil it
down it begins to seem sily for me to collect the number of these packets
that I am and keep them about.  I tend to end up batch deleting them from
the MySQL database via ACID.  They are still logged via syslog but...

So my actual question is do people think it worthwile to continue to log
this stuff or just remove those rules from the ruleset.  I fully realize
that this is somewhat dangerous and that the whole question is VERY
relative to what any given person is looking to achive/protect etc.  In
other words yes it depends on alot of factors but what do people think
about not logging much of the ICMP blech that flows by?


Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list