[Snort-users] "Destination Unreachable" flags
neil at ...1633...
Thu May 31 12:26:14 EDT 2001
I'm running Snort1.7 and a modified version of ruleset 1.6.3 from the
Snort website on Solaris2.7. With this setup, alert log entries like
this are relatively common:
[**] PING-ICMP Destination Unreachable [**]
05/31-05:28:40.071170 220.127.116.11 -> 111.222.333.444
ICMP TTL:236 TOS:0x0 ID:27964 IpLen:20 DgmLen:56
Type:3 Code:4 DESTINATION UNREACHABLE: FRAGMENTATION NEEDED
** ORIGINAL DATAGRAM DUMP:
111.222.333.444:80 -> 18.104.22.168:1172
TCP TTL:238 TOS:0x0 ID:19734 IpLen:20 DgmLen:1500
12UAPR** Seq: 0xF2CCCD1D Ack: 0x0 Win: 0x0 TcpLen: 0 UrgPtr: 0x0
** END OF DUMP
My question has to do with the statement made by another sysop at my
university that the list of flags in the "original datagram dump" as
reported by Snort is not reliable. I was intrigued by what appeared
to me to be unusual combinations, and the fact that the reserved bits
were set, in the packet originally sent out by my machine. Such
entries are most commonly associated with outgoing packets from ports
80 and 25 ( web daemon and sendmail, respectively ).
It hasn't seemed reasonable to me that these flags would be erroneously
reported. So, can anyone tell me whether this guy is right or wrong?
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users