[Snort-users] ICMP Destination Unreachable

McCammon, Keith Keith.McCammon at ...3497...
Wed Jul 17 07:52:06 EDT 2002

> Hello! I need your help. Could you replay to this address if you'll
> replay today or to fra.mila at ...3033... il you'll replay tomorrow?
> I used Snort; but I don't understand why I found only messages like
> these:

Folks here subscribe to the list, post to the list, and reply to the list.  Just a general observation...
> ICMP Destination Unreachable (Communication with Destintation Host in
> Administratively Prohibited)
> from an external IP to an IP of my home-net

A host on your network tried to contact a host on an external network (likely using ICMP), and an intermediate device has an access control list in place that prevents this type of communication.  These rules tend to go off a lot on networks with ICMP-heavy apps or operating systems.  

> The rule is in "icmp.rules" and it's:
> alert icmp any any -> any any (msg:"ICMP Destination
> Unreachable(Communication Administratively Prohibited)".......)
> why they put "any any -> any any" ?

I think that the ICMP rules are, in general, more useful for troubleshooting and information gathering than intrusion detection.  Just my opinion.  However, if you're using them for intrusion detection, you probably want them written this way (any any -> any any).  ICMP is stateless, and responses can be elicited via a number of methods.  In addition, if you are on a relatively "closed" segment, these types of messages will often be the first indicator of malicious activity, specifically in the form of illegal listeners, rogue services, etc. 
> are these messages important? what would you say about them?
> is it possible I find ONLY these messages (an "alert" in 
> /var/log/snort/
> of 2 GB in 24 hours with ONLY messages like these)?

I would say that you need to look at these in the context of the network from which they are being generated.  Some networks generate tons of these during normal activity (although I would suggest that the architecture is flaky).  If you have this many of them, I would tend to believe that it's "normal."  However, I wouldn't rule anything out until you do some ACL searching and try to re-create some of the events.



More information about the Snort-users mailing list