Hugo Chun Hin Lai
hchlai at ...2792...
Wed Jan 26 08:24:01 EST 2005
David, I have also seen a lot of these ICMP packets on my network. In fact, I have also seen "ICMP Destination Unreachable Communication Administratively Prohibited" alerts on my network as well. Sig 485 and sig 486 seems to be related, but I have not figured out the exact differences. I have read RFC 1812 but I am still very lost. I am currently checking my routers' ACL and firewall rules to see if I am denying any traffic that's particular causing the alert. The only worry that I have is spoofed traffic. Can anybody give me some pointers on how to investigate these alerts (ICPM Destination Unreachable Communication Administratively Prohibited & ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited)?
David Young <korang at ...11827...> wrote:
>I have Snort running on a Fedora Core 3 server. I see alot of ICMP
>Destination Unreachable Communication with Destination Host is
>Administratively Prohibited alerts. The problem is it appears that
>my server is the source IP. Is my server running rouge pings? Or is
>it as I suspect that someone has scanned or pingged(sp) my server but
>is unable to respond? Thanks in advance.
>This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
>Tool for open source databases. Create drag-&-drop reports. Save time
>by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
>Download a FREE copy at http://www.intelliview.com/go/osdn_nl
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register
Netscape. Just the Net You Need.
New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
More information about the Snort-users