[Snort-users] exporting snort logs
jpatterson at ...12705...
Wed Nov 24 08:24:05 EST 2004
IIRC, the "content" of ICMP unreachables (of which a "administratively
prohibited" is a flavor) should be the header of the packet that triggered
the unreachable message. You can either parse that manually, or (for the
lazy among us - which would be me) capture a bunch of the icmp unreachables
and look at them in ethereal, which will parse the included header for you.
More information about the Snort-users