[Snort-users] icmp

Peter VE peter.ve at ...1187...
Wed Nov 14 16:04:02 EST 2001


ok, thanks for the xplanation

other question :

My server (connected to the internet) has 2 NIC's
1 nic connected to cable modem
1 nic connected to LAN
server is running BlackICE

I installed snort on this server (Win2K)
should I let it listen on the internal interface, or on the external
interface (but for some reason BlackICe doesn't work anymore... I guess
snort is handling all traffic)...

thanks again


----- Original Message -----
From: "Ryan Russell" <ryan at ...35...>
To: "Peter VE" <peter.ve at ...1187...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, November 15, 2001 12:44 AM
Subject: Re: [Snort-users] icmp


> On Wed, 14 Nov 2001, Peter VE wrote:
>
> > All I wanted to achieve is to fool the remote users, letting them
believe my
> > host is unreachable for icmp traffic...
>
> Normal behavior for ICMP to a host that doesn't allow it is no response.
> Think about it: If you try to ping something that isn't there, you get no
> response.  In your case, if someone tries to ping you, they don't get the
> echo reply (or maybe they do, depending on how you've got things
> configured), but they get an ICMP unreachable.  The fact that they get the
> unreachable tells them there IS a host there, and that something really
> strange is up with it.
>
> Also note that IP specifies that ICMP error messages are not responded to,
> lest there be infinite loops of ICMP messages.
>
> Ryan
>
>
>





More information about the Snort-users mailing list