[Snort-users] novice question: logs

John Sage jsage at ...2022...
Fri Jan 11 22:12:03 EST 2002


Justin:

You don't say what version snort/what OS platform you're running (which 
can sometimes be helpful..) but the only place I find the string "ICMP 
Unreachable IP short header" anywhere in the files of snort 1.8.2 build 
86 on Linux is within decode.c

I am not in the least qualified to explain what decode.c is doing in any 
detail, so I won't start, but what's happened (I beleive) is that you 
have received an ICMP type 3 unreachable response (unreachable what? 
there's a lot: host, network, port probably being the most common..) to 
a packet that your system has sent out, and that response packet 
contains a zero-length IP header.

IP headers are expected to be at least 20 bytes; IP options and optional 
data can make them bigger, but 20 bytes is to be expected...

The "ID 702911 daemon.error" has me a little puzzled.

"daemon.error" is from the klogd/syslogd logging process, and is 
facility.priority

"ID 702911" shows up on a bazillion Google search hits, but none of them 
explain **what** its significance is...

(one post call it a process ID, but I don't think so: it's six digits... 
I couldn't grep for either ID 702911 or 702911 anywhere on my system..)


Anyway, HTH a little..


- John

-- 
Computers: they're really nothing but l's and O's




Justin Ferguson wrote:

>  Hi, I have some logs on my hands and im not quite sure exactly what its 
> trying to tell me:
> 
> Jan 11 03:58:59 snarfer snort[2478]: [ID 702911 daemon.error] ICMP 
> Unreachable IP short header (0 bytes)
> Jan 11 05:49:24 snarfer last message repeated 1 time
> Jan 11 06:27:10 snarfer snort[2478]: [ID 702911 daemon.error] ICMP 
> Unreachable IP short header (0 bytes)
> 
> 
> I understand what the protocols are, but that error tells me little, is 
> this a packet it recieved? did it get unreachable trying to contact 
> someone? If someone could explain briefly whats happening I would 
> appreciate it alot, thank you
> 
> 
> j. ferguson
> 






More information about the Snort-users mailing list