[Snort-users] ICMP Time-To-Live Exceeded in Transit

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Dec 23 03:28:01 EST 2003


what is in the payload? Those ICMP-packets (usually) transport 8 bytes
of the packet's header that caused the error. If the originate packets
are comming from your host(s), than you may probably often use
traceroute ;). If not, consider creating a passrule for those packets.
Where is your sensor sitting? On the router or on your computer? You may
also consider running Snort behind your packet filter (if you have one).
Your NATing router should only forward ICMP errors that related to your
connections. *DO NOT BLOCK ICMP* completely, since that may cause more
problems as it solves.

Hm, the more I think about your problem, the more it is becoming clear
to me that you simply provided a bit to less information ;) .


Erwin Van de Velde schrieb:

> Hi,
> I'm using snort 2.1.0 and I'm getting quite a lot of these alerts
> (43% of the total of alerts). All packets that are logged, are going
> to a computer behind my router. I'm using NAT on the router, and my
> internal network has only one computer behind it: Router
> has (DHCP configured IP, as IP addresses. What can I do
> to get rid of all these messages, except disabling this rule? Is
> there a way to tweak snort, so that it does not generate these false
> positives anymore? Is it an error caused by shorewall, that I use on
> the router for NAT, or is there another reason why these alerts are
> generated?
> Thanks in advance,
> Erwin Van de Velde Student of Antwerp University Belgium

Edin Dizdarevic

More information about the Snort-users mailing list