[Snort-users] icmp

Ryan Russell ryan at ...35...
Wed Nov 14 15:45:04 EST 2001

On Wed, 14 Nov 2001, Peter VE wrote:

> All I wanted to achieve is to fool the remote users, letting them believe my
> host is unreachable for icmp traffic...

Normal behavior for ICMP to a host that doesn't allow it is no response.
Think about it: If you try to ping something that isn't there, you get no
response.  In your case, if someone tries to ping you, they don't get the
echo reply (or maybe they do, depending on how you've got things
configured), but they get an ICMP unreachable.  The fact that they get the
unreachable tells them there IS a host there, and that something really
strange is up with it.

Also note that IP specifies that ICMP error messages are not responded to,
lest there be infinite loops of ICMP messages.


More information about the Snort-users mailing list