[Snort-users] how to further diagnose 'ICMP Destination Unreachable' problem?
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Wed Aug 31 02:14:09 EDT 2005
--On 29 August 2005 10:11 -0700 "Chris W. Parker" <cparker at ...13453...>
> I have a lot of 'ICMP Destination Unreachable Port Unreachable' alerts
> (36%) and I'm wondering what I should do to diagnose and correct the
> I don't know much about networking so I wasn't able to glean much
> insight from the Snort website
Sort by destination address (since these ICMP messages are generated in
response to something that the *destination* purportedly did /previously/),
and see if they are largely attributable to a single host. If they are,
chances are that host was port-scanning or was being used as a decoy source
address for a port scan. If not, they're probably just background noise.
For the future, I suggest using thresholding to limit the number of ICMP
Destination Unreachable alerts logged, such that only a particularly noisy
host causes alerts. e.g:
threshold: type both, track by_dst, count 800, seconds 600;
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users