[Snort-users] Suspicious ICMP traces

Ryan Russell ryan at ...35...
Tue Oct 23 08:31:06 EDT 2001

On Tue, 23 Oct 2001, Demetri Mouratis wrote:

> I'm not really sure so I thought I'd pass this along for second opinions.
> One thing that raised my suspicions was that the ICMP packet seems to
> contain a UDP datagram within it.  (Or am I jumping the gun on that?)

ICMP unreachable messages contain a portion of the original packet, so
that the hosts can determine which packet was rejected.

> So, here is the relevant portion of alert:
> [**] [1:485:1] ICMP Destination Unreachable (Communication
> Administratively Prohibited) [**]
> 10/21-20:21:24.622037 ->

Are you  Is the real attacker address, or have
you sanitized it?  That's a RFC1918 address.

> I've got maybe 10,000 of these over a few day period.  I'm also seeing
> portscans from so I'm pretty sure something is not right
> here.

Well, if you're sending ICMP unreachables in response to being
protscanned, that's pretty much what is supposed to happen.


More information about the Snort-users mailing list