[Snort-users] how to further diagnose 'ICMP Destination Unreachable' problem?

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Aug 31 02:14:09 EDT 2005

--On 29 August 2005 10:11 -0700 "Chris W. Parker" <cparker at ...13453...> 

> I have a lot of 'ICMP Destination Unreachable Port Unreachable' alerts
> (36%) and I'm wondering what I should do to diagnose and correct the
> problem.
> I don't know much about networking so I wasn't able to glean much
> insight from the Snort website
> (http://www.snort.org/pub-bin/sigs.cgi?sid=402).

Sort by destination address (since these ICMP messages are generated in 
response to something that the *destination* purportedly did /previously/), 
and see if they are largely attributable to a single host. If they are, 
chances are that host was port-scanning or was being used as a decoy source 
address for a port scan. If not, they're probably just background noise.

For the future, I suggest using thresholding to limit the number of ICMP 
Destination Unreachable alerts logged, such that only a particularly noisy 
host causes alerts. e.g:

threshold: type both, track by_dst, count 800, seconds 600;

> Thanks,
> Chris.

Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list