[Snort-users] question about ICMP echo reply (undefinted code) rule

Rob Burris robeb at ...10609...
Thu Nov 20 13:35:10 EST 2003


Snort is logging alerts when ICMP type 0 echo reply messages come back 
in into my network. I'm okay with that as long as the echo request was 
sent from my network. But I'm a little confused about the SID 
description of this type of alert.

"This event is generated when a network host generates an ICMP Echo 
Reply with an invalid or undefined ICMP Code"

http://www.snort.org/snort-db/sid.html?id=409

This snort rule is looking for a ICMP packet with itype:0.

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply 
(Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;)

But isn't this type of ICMP message expected back from the machine that 
is replying to the request?

"ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo 
Reply datagrams.  This type of message is used to determine if a host is 
active on the network."

I guess I'm not sure why it is considered invalid or undefined? Just 
wondering...

- rob





More information about the Snort-users mailing list