[Snort-users] stream5 and track_icmp

elof at ...6680... elof at ...6680...
Wed Mar 13 08:51:52 EDT 2013

Stream5 track_icmp is disabled by default in snort. Why?

"ICMP messages are tracked for the purposes of checking for unreachable 
and service unavailable messages, which effectively terminate a TCP or UDP 

Isn't this a good thing, to let snort bail early on TCP/UDP streams that 
are terminated and this is informed via an ICMP message?


More information about the Snort-users mailing list