[Snort-users] "Destination Unreachable" flags

Neil Dickey neil at ...1633...
Thu May 31 12:26:14 EDT 2001


I'm running Snort1.7 and a modified version of ruleset 1.6.3 from the
Snort website on Solaris2.7.  With this setup, alert log entries like
this are relatively common:

[**] PING-ICMP Destination Unreachable [**]
05/31-05:28:40.071170 199.70.3.103 -> 111.222.333.444
ICMP TTL:236 TOS:0x0 ID:27964 IpLen:20 DgmLen:56
Type:3  Code:4  DESTINATION UNREACHABLE: FRAGMENTATION NEEDED
** ORIGINAL DATAGRAM DUMP:
111.222.333.444:80 -> 12.88.90.161:1172
TCP TTL:238 TOS:0x0 ID:19734 IpLen:20 DgmLen:1500
12UAPR** Seq: 0xF2CCCD1D  Ack: 0x0  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP

My question has to do with the statement made by another sysop at my
university that the list of flags in the "original datagram dump" as
reported by Snort is not reliable.  I was intrigued by what appeared
to me to be unusual combinations, and the fact that the reserved bits
were set, in the packet originally sent out by my machine.  Such
entries are most commonly associated with outgoing packets from ports
80 and 25 ( web daemon and sendmail, respectively ).

It hasn't seemed reasonable to me that these flags would be erroneously
reported.  So, can anyone tell me whether this guy is right or wrong?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list