[Snort-users] What is this?

John Berkers berjo at ...827...
Wed Sep 26 06:55:02 EDT 2001


Looks like some Time To Live's exceeded in transit.  Sometimes this happes
because of a routing loop, other times because the TTL on a packet is set
too low to reach the intended destination.  The TTL is set initially as the
maximum number of hops that a packet can travel before being classed as
undeliverable.  When it is exceeded the ICMP packet that has been alerted on
is generated.

The TTL in this packet is not indicative of the TTL of the packet who's TTL
exceeded.  If you have the packet payload you can determine what the
original source and destination addresses were as the RFC requires that an
initial number of bytes from the original packet be sent back in the
payload.

All in all it is relatively normal traffic (as is a lot of ICMP stuff),
hence the reason icmp.rules is commented out by default.

Hope that clarifies things a little.

Regards,

John Berkers

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason
Withrow
Sent: Wednesday, 26 September 2001 16:05
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] What is this?



[**] ICMP Time-To-Live Exceeded in Transit [**]
09/26-01:47:48.167497 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
len:0x46
213.16.16.1 -> 66.31.82.9 ICMP TTL:237 TOS:0xC0 ID:18643 IpLen:20
DgmLen:56
Type:11  Code:0  TTL EXCEEDED
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

[**] ICMP Time-To-Live Exceeded in Transit [**]
09/26-01:47:51.153975 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
len:0x46
213.16.16.1 -> 66.31.82.9 ICMP TTL:237 TOS:0xC0 ID:18649 IpLen:20
DgmLen:56
Type:11  Code:0  TTL EXCEEDED
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

[**] ICMP Time-To-Live Exceeded in Transit [**]
09/26-01:47:57.161955 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
len:0x46
213.16.16.1 -> 66.31.82.9 ICMP TTL:237 TOS:0xC0 ID:18652 IpLen:20
DgmLen:56
Type:11  Code:0  TTL EXCEEDED
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list