[Snort-users] ICMP Source Quench

Chris Green cmg at ...1935...
Mon Jul 7 09:08:13 EDT 2003


"Bryan Waters" <bryanw at ...9616...> writes:

> What is an "ICMP Source Quench"?
>
> I have snort running and its working fine...i'm just looking for a place to
> determine what some of the more poorly documented rules are...so i can get
> an idea of what exactly is happening and how much of a threat it is...

Please tell me you atleast did (Lie if you have to :-)):

http://www.google.com/search?hl=en&query=ICMP+Source+Quench.

http://www.firewall.cx/icmp-source-quench.php

The additional $0.02 from experience:

Often times if you see ICMP source quenches your network is either
flooding a particular network OR you netblock is being spoofed and
some poor old sod is being flooded and can only yell at you about it.

Try reverse dns on the Source IP and if it's an IRC server, it's probably
the latter.
-- 
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-users mailing list