[Snort-users] Alert messages and rule identification

Subba Rao subba9 at ...530...
Thu May 17 03:41:13 EDT 2001


My snort alert file has only these entries so far.

-----------------------------------------------------------
[**] ICMP Destination Unreachable (Undefined Code!) [**]
05/17-06:51:34.581889 Z.Z.Z.77 -> X.X.X.36
ICMP TTL:253 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
X.X.X.36:63586 -> D.D.D.213:53
UDP TTL:125 TOS:0x0 ID:29521 IpLen:20 DgmLen:64
Len: 44
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
05/17-06:51:38.578669 C.C.C.157 -> X.X.X.36
ICMP TTL:253 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
X.X.X.36:63587 -> D.D.D.214:53
UDP TTL:125 TOS:0x0 ID:32081 IpLen:20 DgmLen:57
Len: 37
** END OF DUMP
-----------------------------------------------------------

The original datagram says it is a DNS query. I get notified via ICMP
that the destination is unreachable. This looks normal to me. How do I
find out which rule has triggered this alert. I am not going to remove
that alert but will modify my DNS resolution.

Is there a way to make snort dump the rule ID along with the alert dump?

Any info appreciated.

TIA.
-- 

Subba Rao
subba9 at ...530...
http://members.home.net/subba9/

GPG public key ID 27FC9217




More information about the Snort-users mailing list