[Snort-users] AW: (Snort-users) snort alert

sandro.poppi at ...3316... sandro.poppi at ...3316...
Tue Oct 16 23:38:15 EDT 2001


> çHi,
>         I have been run snort for a few days. In snort alert
> log file contain this msg
>
>         [**] [1:472:1] ICMP redirect host [**]
>         [Classification: Potentially Bad Traffic] [Priority: 2]
>         10/17-12:57:14.059790 xxx.xxx.xxx.2 -> xxx.xxx.xxx.28
>         ICMP TTL:2 TOS:0x0 ID:0 IpLen:20 DgmLen:56
>         Type:5  Code:1  REDIRECT
>         [Xref => http://www.whitehats.com/info/IDS135]
>         [Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0265]
>
>         What does it mean? why snort tell us to know bad
> traffic between 2 IP
> Address?  did it have any serious about my network configuration?

This alert is generated because a router (normally the default gateway) sends a
ICMP redirect which means that it is not responsible for forwarding the sent
packet but knows another router which is, telling the station to use the other
router.

If you have more than one router in the corresponding network segment and the
address given in the redirect packet is a known router you can simply ignore the
message, but if you only have one router in the segment or the ip address is not
a known router you should carefully have a look on the given ip addresses (src
and in the redirect packet).

For more information take a look on the given links.

The "Classification: Potentially Bad Traffic" is defined in
/etc/snort/rules/classification.config (on Linux) and is predefined to classify
the packets and combining it with a priority setting. According to Brian's posts
last week (I think) the classifications should be re-done in a more standard
way.

HTH,
Sandro





More information about the Snort-users mailing list