[Snort-users] question about ICMP echo reply (undefinted code) rule
robeb at ...10609...
Thu Nov 20 13:35:10 EST 2003
Snort is logging alerts when ICMP type 0 echo reply messages come back
in into my network. I'm okay with that as long as the echo request was
sent from my network. But I'm a little confused about the SID
description of this type of alert.
"This event is generated when a network host generates an ICMP Echo
Reply with an invalid or undefined ICMP Code"
This snort rule is looking for a ICMP packet with itype:0.
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply
(Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;)
But isn't this type of ICMP message expected back from the machine that
is replying to the request?
"ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo
Reply datagrams. This type of message is used to determine if a host is
active on the network."
I guess I'm not sure why it is considered invalid or undefined? Just
More information about the Snort-users