[Snort-users] Alerts

Hugo Chun Hin Lai hchlai at ...2792...
Wed Jan 26 08:24:01 EST 2005

David, I have also seen a lot of these ICMP packets on my network. In fact, I have also seen "ICMP Destination Unreachable Communication Administratively Prohibited" alerts on my network as well. Sig 485 and sig 486 seems to be related, but I have not figured out the exact differences. I have read RFC 1812 but I am still very lost. I am currently checking my routers' ACL and firewall rules to see if I am denying any traffic that's particular causing the alert. The only worry that I have is spoofed traffic. Can anybody give me some pointers on how to investigate these alerts (ICPM Destination Unreachable Communication Administratively Prohibited & ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited)?
Many Thanks!


David Young <korang at ...11827...> wrote:

>I have Snort running on a Fedora Core 3 server.  I see alot of ICMP
>Destination Unreachable Communication with Destination Host is
>Administratively Prohibited    alerts.  The problem is it appears that
>my server is the source IP.  Is my server running rouge pings?  Or is
>it as I suspect that someone has scanned or pingged(sp) my server but
>is unable to respond?  Thanks in advance.
>David Young
>This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
>Tool for open source databases. Create drag-&-drop reports. Save time
>by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
>Download a FREE copy at http://www.intelliview.com/go/osdn_nl
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

More information about the Snort-users mailing list