[Snort-users] ICMP - redirect host
jsage at ...2022...
Thu Jul 4 11:02:05 EDT 2002
On Thu, Jul 04, 2002 at 09:31:58AM +0100, David Alexandre M. de Carvalho wrote:
> I have a red hat linux 7.2 configured to be a gateway to a masquerade network using ipchains.
> I have lot's of snort logs, but the most frequent are:
> "ICMP - redirect host. Classification: Potencially bat traffic".
> If I add the rule /sbin/ipchains -N icmp-acc to accept standard ICMP errors, and a few more "config"
> will this reduce the size of my logs ? Since they are mostly these messages.
I'm going to say, no, not at all, although the full text of what's in
the snort logs would be helpful to see, as well as your snort version
etc etc etc...
The snort alert is probably this:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect
reference:cve,CVE-1999-0265; classtype:bad-unknown; sid:472; rev:1;)
in icmp.rules; if you add a user-defined rule to ipchains, that's
going to affect ipchains, only.
You might try commenting-out that rule in icmp.rules; or, changing it
from an "alert" to a "pass" and start snort with a -o added to the
Personally, I've got my ipchains rules set up to DENY icmp redirects
-A input -s 0.0.0.0/0.0.0.0 5:5 -d 0.0.0.0/0.0.0.0 -i ppp0 -p 1 -j DENY -l
As well as this:
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $f
which may be redundant...
"You are in a little maze of twisty passages, all different."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
More information about the Snort-users