[Snort-users] Newbie: why so many ICMPs?
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Thu Jul 8 01:45:06 EDT 2004
--On 07 July 2004 20:50 -0600 John Bertagnolli <ijbert at ...3027...> wrote:
> I spent yesterday loading Fedora 2, snort and ACID. I have everything
> working like I think it's supposed to. When I log into my ACID page, I
> see literally hundreds of "ICMP Destination Unreachable Communication
> with Destination Host is Administratively Prohibited" messages. The
> source address is my IP, the destination address varies. These messages
> are 90% of what I am seeing in ACID.
> I can see these entries logged if I try to ftp to my machine, having ftp
> off. My thought is that the service is denied, the ICMP is generated, and
> my router is interfering. I have a Netgear ADSL Firewall Router DG834. I
> have turned off NAT and added firewall holes to allow all traffic inbound
> and output.
> Is this a reasonable assumption? I could buy a new ADSL modem. Barring
> that, could I turn these responses off, since they aren't getting past my
> modem/router? Or is that something I shouldn't do?
You haven't really given us enough details to go on, but my guess is that
you're allowing virtually everything in (through your router) from the
Internet to your internal hosts, and that these hosts are rejecting
incoming portscans and suchlike with the ICMP messages that you're seeing
in ACID. Note that if you've enabled the firewall during the Fedora
installation, it will, IIRC, generate ICMP Admin Prohibited messages for
incoming connections that it rejects.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users