[Snort-users] Snort ICMP # 485

Glenn Forbes Fleming Larratt glratt at ...604...
Mon Nov 24 05:14:06 EST 2003


Not sure what you mean by "i have read what is about #485", but:

ICMP is often part of a so-called "protocol bender", in that an ICMP
packet often occurs as a response to a non-ICMP packet, usually to
report some error condition. Some of the most common ICMP messages in
this case include "unreachable" messages of various sorts and
"timeout" messages for packet time-to-live (which is used for
UNIX-based traceroute - see

http://www.exit109.com/~jeremy/news/providers/traceroute.html

) or fragment reassembly.

The ICMP packets that this rule alerts on are of a slightly different
character. An "administratively prohibited" ICMP message is sent when
a host - usually a router - has access control configured into it that
doesn't allow the traffic that was sent.

A simple example: if your border router doesn't allow connections to
services that are commonly unencrypted, say telnet, SNMP, POP, and IMAP,
you'd have a Cisco ACL that looked like:

  access-list 101 deny tcp any any eq 23
  access-list 101 deny tcp any any eq 110
  access-list 101 deny tcp any any eq 143
  access-list 101 deny udp any any eq 161
  access-list 101 permit ip any any

, then the default behavior of your Cisco router when someone tries to
telnet in is for the border router (*not* the target host) to return
this ICMP message to the initiating host, with a copy of the packet
("Original Datagram Dump") that triggered it in the ICMP packet's
payload.

In your particular example, host 195.143.234.178 tried to send a
packet - it's not clear from the data you submitted what sort of
packet - to host 57.72.7.62; however the router with address
57.72.1.170 dropped the packet, and sent this ICMP packet to notify
the sending host of the problem.

If 195.143.0.0/16 or some subset is your network, then either your
host 195.143.234.178 might bear some inspection, or someone might be
spoofing (forging) your address space.

If 57.72.0.0/16 or some subset is your network, then someone at
195.143.234.178 (or spoofing that address) may have been probing your
border.

More data would help :)

	-g


On Mon, 24 Nov 2003, Timm Schneider wrote:

> Hi all,
>
> in my Alerts File there is often the entry #485 d.h. ICMP
> Administrative Prohibited.
> On the Snort site i have read what is about #485.
> Now i have a question what exactly mean this.
>
>
> 11/22-05:59:19.952942       57.72.1.170 ->  195.143.234.178
>  Date-Hour           ???                                                my IP
>
> Packet Filtered
>
> Original Datagram Dump
>
> 195.143.234.178 -> 57.72.7.62
>
>
> Why are the IP's not identical ?
> What means that?
>
> Snort becomes tho know the real Spoofing Address?
>
>
> Thanks in advance.
>
>
>
> Timm Schneider
> -------------------
> Musik-digital-Markt
> Siegesstr.22a
> 80802 München
> Voice: 089/ 51997011
> Fax: 089/ 51997012
> www.mdmarkt.de
> HD-Recording
> Netzwerktechnik
> Studiotechnik
> Unsere Mails werden mit Kaspersky AVP Virenscan geprüft.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you b

				Glenn Forbes Fleming Larratt
				Rice University Networking
				glratt at ...604...




More information about the Snort-users mailing list