[Snort-users] Newbie: why so many ICMPs?

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Thu Jul 8 01:45:06 EDT 2004

--On 07 July 2004 20:50 -0600 John Bertagnolli <ijbert at ...3027...> wrote:

> I spent yesterday loading Fedora 2, snort and ACID. I have everything
> working like I think it's supposed to. When I log into my ACID page, I
> see literally hundreds of "ICMP Destination Unreachable Communication
> with Destination Host is Administratively Prohibited" messages. The
> source address is my IP, the destination address varies. These messages
> are 90% of what I am seeing in ACID.
> I can see these entries logged if I try to ftp to my machine, having ftp
> off. My thought is that the service is denied, the ICMP is generated, and
> my router is interfering. I have a Netgear ADSL Firewall Router DG834. I
> have turned off NAT and added firewall holes to allow all traffic inbound
> and output.
> Is this a reasonable assumption? I could buy a new ADSL modem. Barring
> that, could I turn these responses off, since they aren't getting past my
> modem/router? Or is that something I shouldn't do?

You haven't really given us enough details to go on, but my guess is that 
you're allowing virtually everything in (through your router) from the 
Internet to your internal hosts, and that these hosts are rejecting 
incoming portscans and suchlike with the ICMP messages that you're seeing 
in ACID. Note that if you've enabled the firewall during the Fedora 
installation, it will, IIRC, generate ICMP Admin Prohibited messages for 
incoming connections that it rejects.

> Thanks,
> John

Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list