[Snort-users] Snort ICMP # 485

Glenn Forbes Fleming Larratt glratt at ...604...
Mon Nov 24 05:14:06 EST 2003

Not sure what you mean by "i have read what is about #485", but:

ICMP is often part of a so-called "protocol bender", in that an ICMP
packet often occurs as a response to a non-ICMP packet, usually to
report some error condition. Some of the most common ICMP messages in
this case include "unreachable" messages of various sorts and
"timeout" messages for packet time-to-live (which is used for
UNIX-based traceroute - see


) or fragment reassembly.

The ICMP packets that this rule alerts on are of a slightly different
character. An "administratively prohibited" ICMP message is sent when
a host - usually a router - has access control configured into it that
doesn't allow the traffic that was sent.

A simple example: if your border router doesn't allow connections to
services that are commonly unencrypted, say telnet, SNMP, POP, and IMAP,
you'd have a Cisco ACL that looked like:

  access-list 101 deny tcp any any eq 23
  access-list 101 deny tcp any any eq 110
  access-list 101 deny tcp any any eq 143
  access-list 101 deny udp any any eq 161
  access-list 101 permit ip any any

, then the default behavior of your Cisco router when someone tries to
telnet in is for the border router (*not* the target host) to return
this ICMP message to the initiating host, with a copy of the packet
("Original Datagram Dump") that triggered it in the ICMP packet's

In your particular example, host tried to send a
packet - it's not clear from the data you submitted what sort of
packet - to host; however the router with address dropped the packet, and sent this ICMP packet to notify
the sending host of the problem.

If or some subset is your network, then either your
host might bear some inspection, or someone might be
spoofing (forging) your address space.

If or some subset is your network, then someone at (or spoofing that address) may have been probing your

More data would help :)


On Mon, 24 Nov 2003, Timm Schneider wrote:

> Hi all,
> in my Alerts File there is often the entry #485 d.h. ICMP
> Administrative Prohibited.
> On the Snort site i have read what is about #485.
> Now i have a question what exactly mean this.
> 11/22-05:59:19.952942 ->
>  Date-Hour           ???                                                my IP
> Packet Filtered
> Original Datagram Dump
> ->
> Why are the IP's not identical ?
> What means that?
> Snort becomes tho know the real Spoofing Address?
> Thanks in advance.
> Timm Schneider
> -------------------
> Musik-digital-Markt
> Siegesstr.22a
> 80802 München
> Voice: 089/ 51997011
> Fax: 089/ 51997012
> www.mdmarkt.de
> HD-Recording
> Netzwerktechnik
> Studiotechnik
> Unsere Mails werden mit Kaspersky AVP Virenscan geprüft.
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you b

				Glenn Forbes Fleming Larratt
				Rice University Networking
				glratt at ...604...

More information about the Snort-users mailing list