[Snort-users] Alerts

Bill Parker dogbert at ...11664...
Wed Jan 26 10:38:02 EST 2005


----- Original Message ----- 
From: "Hugo Chun Hin Lai" <hchlai at ...2792...>
To: "David Young" <korang at ...11827...>; <snort-users at lists.sourceforge.net>
Sent: Wednesday, January 26, 2005 8:22 AM
Subject: RE: [Snort-users] Alerts


> David, I have also seen a lot of these ICMP packets on my network. In
fact, I have also seen "ICMP Destination Unreachable Communication
Administratively Prohibited" alerts on my network as well. Sig 485 and sig
486 seems to be related, but I have not figured out the exact differences. I
have read RFC 1812 but I am still very lost. I am currently checking my
routers' ACL and firewall rules to see if I am denying any traffic that's
particular causing the alert. The only worry that I have is spoofed traffic.
Can anybody give me some pointers on how to investigate these alerts (ICPM
Destination Unreachable Communication Administratively Prohibited & ICMP
Destination Unreachable Communication with Destination Host is
Administratively Prohibited)?

Actually, the first step you probably want to do is to prevent your router
from issuing messages about 'ip unreachables', and if you are using a cisco
based router, you can apply the command 'no ip unreachables' to every
interface that you have inbound from the internet and the
interface which actually serves as the gateway for your LAN.  Another thing
which would help would be to turn off 'directed broadcasts'
in the router as well (leads to a potential Smurf attack), this is also done
on the router interfaces in question.  Other routers may have these features
as well, so I would check with the vendors also.

Make sure that you back up your existing router configuration BEFORE
attempting any of these things (either via TFTP) or a copy and
paste operation into notepad, vi, etc.

If you are in a cisco environment, a couple of good books to get are:

The Cisco Cookbook - O'Reilly (ISBN 0596003676) and

Hardening Cisco Routers - O'Reilly (ISBN 0596001665)

Bill





More information about the Snort-users mailing list