[Snort-users] Alerts

Brian Jameson tech at ...11974...
Wed Jan 26 10:04:04 EST 2005


David wrote

>I have Snort running on a Fedora Core 3 server.  I see alot of ICMP
>Destination Unreachable Communication with Destination Host is
>Administratively Prohibited    alerts.  The problem is it appears that
>my server is the source IP.  Is my server running rouge pings?  Or is
>it as I suspect that someone has scanned or pingged(sp) my server but
>is unable to respond?  Thanks in advance.
>
>David Young

I came across the same thing when I upgraded to Fedora Core 3. The ICMP
Destination Unreachables for me were down to the Firewall on the Fedora
Core 3 machines. In /etc/sysconfig/iptables are the rules fed to iptables
and in Core 3 the final line is a:-
'-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited' if the
firewall is activated. I changed this to a DROP and removed the
--reject-with icmp-host-prohibited and the problem went away.

regards,
Brian





More information about the Snort-users mailing list