[Snort-users] Does ICMP detection work or what?

Ryan Russell ryan at ...35...
Thu Jun 28 19:22:27 EDT 2001


On Thu, 28 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:

>
> We don't allow ICMP in our out of our firewall. I have the Snort server just
> inside the firewall. Every day I get TONS of countless alerts on just about
> every type of ICMP packet possible that is supposedly coming in through the
> firewall. How can this be? If I do a manual ping against the outside of the
> firewall, I get no responses so it appears to be blocked. We also checked
> the rules on the firewall, and ICMP is definitely blocked in BOTH
> directions. Yet my logs are filling up with ICMP alerts. Some examples are
> below. We should be seeing NO ICMP alerts, yet we are seeing ALL of these.
> Can someone explain? This is a HUGE problem.

Ping and ICMP aren't the same thing, ping only accounts for two ICMP
types, and there are quite a few more (as evidenced by your examples.)
What kind of firewall do you have, and what exactly does the rule say?

					Ryan





More information about the Snort-users mailing list