[Snort-users] Does ICMP detection work or what?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Thu Jun 28 19:00:22 EDT 2001


We don't allow ICMP in our out of our firewall. I have the Snort server just
inside the firewall. Every day I get TONS of countless alerts on just about
every type of ICMP packet possible that is supposedly coming in through the
firewall. How can this be? If I do a manual ping against the outside of the
firewall, I get no responses so it appears to be blocked. We also checked
the rules on the firewall, and ICMP is definitely blocked in BOTH
directions. Yet my logs are filling up with ICMP alerts. Some examples are
below. We should be seeing NO ICMP alerts, yet we are seeing ALL of these.
Can someone explain? This is a HUGE problem.

Thanks,
Paul


8.64    192     ICMP Echo Reply                 
		 48    03016109.ppptlh.nettally.com
-> <one of our servers>                                  
		 25    n75.OnlineToday.Com
-> <one of our servers>                                   

5.49    122     ICMP Unknown Type               
		 38    03016109.ppptlh.nettally.com
-> <one of our servers>                                  
		 12    n75.OnlineToday.Com
-> <one of our servers>                                   

1.17    26      MISC Large ICMP Packet          
		 7     adsl-64-171-188-149.dsl.snfc21.pacbell.net
-> <one of our servers>                                  
		 4     adsl-141-150-207-238.delval.adsl.bellatlantic.net
-> <one of our servers>                                      

1.04    1       ICMP Echo Request               
		 1     04016188.ppptlh.nettally.com
-> <one of our servers>     

0.59    13      ICMP Fragment Reassembly Time Exceeded
		 5     <one of our servers>
-> lsanca1-ar14-013-096.elnk.dsl.gtei.net                 
		 2     <one of our servers>
-> host217-32-125-89.hg.mdip.bt.net                       

0.32    7       ICMP Echo Reply (Undefined Code!)
		 5     03016109.ppptlh.nettally.com
-> <one of our servers>                                  
		 1     n75.OnlineToday.Com
-> <one of our servers>                                      

0.27    6       ICMP Unassigned! (Type 1)       
		 2     04016188.ppptlh.nettally.com
-> <one of our servers>                                      
		 2     03016109.ppptlh.nettally.com
-> <one of our servers>                                  

0.09    2       ICMP Parameter Problem (Undefined Code!)
		 1     n75.OnlineToday.Com
-> <one of our servers>                                      
		 1     n75.OnlineToday.Com
-> <one of our servers>                                   

0.09    2       ICMP Information Reply (Undefined Code!)
		 1     03016109.ppptlh.nettally.com
-> <one of our servers>                                  
		 1     n75.OnlineToday.Com
-> <one of our servers>   

0.09    2       ICMP Echo Request (Undefined Code!)
		 1     03016109.ppptlh.nettally.com
-> <one of our servers>                                  
		 1     user-33qs1fp.dialup.mindspring.com
-> <one of our servers>                                      

0.09    2       ICMP Traceroute (Undefined Code!)
		 1     03016109.ppptlh.nettally.com
-> <one of our servers>                                  
		 1     n75.OnlineToday.Com
-> <one of our servers>                                      

0.05    1       ICMP Unassigned! (Type 1) (Undefined Code)
		 1     03016109.ppptlh.nettally.com
-> <one of our servers>

0.05    1       ICMP Router Selection (Undefined Code!)
		 1     pD9542EB0.dip.t-dialin.net
-> <one of our servers>                                      

0.05    1       ICMP SKIP (Undefined Code!      
		 1     04016188.ppptlh.nettally.com
-> <one of our servers>                                  

0.05    1       ICMP IPV6 I-Am-Here (Undefined Code!
		 1     NBN-TNT2-pool1-219.coastalnet.com
-> <one of our servers>                                      

0.05    1       ICMP Unassigned! (Type 7) (Undefined Code!)
		 1     pD9542EB0.dip.t-dialin.net
-> <one of our servers>    






More information about the Snort-users mailing list