[Snort-users] exporting snort logs

Joe Patterson jpatterson at ...12705...
Wed Nov 24 08:24:05 EST 2004

IIRC, the "content" of ICMP unreachables (of which a "administratively
prohibited" is a flavor) should be the header of the packet that triggered
the unreachable message.  You can either parse that manually, or (for the
lazy among us - which would be me) capture a bunch of the icmp unreachables
and look at them in ethereal, which will parse the included header for you.

More information about the Snort-users mailing list