Snort mailing list archives
"Destination Unreachable" flags
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 31 May 2001 11:26:14 -0500 (CDT)
I'm running Snort1.7 and a modified version of ruleset 1.6.3 from the Snort website on Solaris2.7. With this setup, alert log entries like this are relatively common: [**] PING-ICMP Destination Unreachable [**] 05/31-05:28:40.071170 199.70.3.103 -> 111.222.333.444 ICMP TTL:236 TOS:0x0 ID:27964 IpLen:20 DgmLen:56 Type:3 Code:4 DESTINATION UNREACHABLE: FRAGMENTATION NEEDED ** ORIGINAL DATAGRAM DUMP: 111.222.333.444:80 -> 12.88.90.161:1172 TCP TTL:238 TOS:0x0 ID:19734 IpLen:20 DgmLen:1500 12UAPR** Seq: 0xF2CCCD1D Ack: 0x0 Win: 0x0 TcpLen: 0 UrgPtr: 0x0 ** END OF DUMP My question has to do with the statement made by another sysop at my university that the list of flags in the "original datagram dump" as reported by Snort is not reliable. I was intrigued by what appeared to me to be unusual combinations, and the fact that the reserved bits were set, in the packet originally sent out by my machine. Such entries are most commonly associated with outgoing packets from ports 80 and 25 ( web daemon and sendmail, respectively ). It hasn't seemed reasonable to me that these flags would be erroneously reported. So, can anyone tell me whether this guy is right or wrong? Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "Destination Unreachable" flags Neil Dickey (May 31)