[Snort-users] Does ICMP detection work or what?
francois at ...1754...
Fri Jun 29 03:56:38 EDT 2001
Thu, 28 Jun 2001 17:22:27 -0600 (MDT)
Ryan Russell <ryan at ...35...> wrote:
> On Thu, 28 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
> Ping and ICMP aren't the same thing, ping only accounts for two ICMP
> types, and there are quite a few more (as evidenced by your examples.)
> What kind of firewall do you have, and what exactly does the rule say?
Couldn't it be related to the problem Phil told us last night :
> Phil Wood wrote :
> In my case the problem of trash icmp types and codes is the result of a
> problem with snort. It appears related to the defrag preprocessor. I have
> documented, using tcpdump and snort in parallel, that valid ICMP packets
> (as seen by tcpdump), end up in snort with some memory (not associated with
> any packet) appended to a perfectly valid IP header (with proto of ICMP).
> Tcpdump shows two fragments (out of order) which together make up an icmp
> packet. Snort's defrag constructs the complete ICMP packet with the identical
> IP header, but crud from some place in snort's memory as ICMP header and DATA.
More information about the Snort-users