Snort mailing list archives
Re: ICMP Unreachable IP short header
From: Phil Wood <cpw () lanl gov>
Date: Mon, 11 Jun 2001 08:37:05 -0600
On Mon, Jun 11, 2001 at 10:04:47AM +0200, Ralf Hildebrandt wrote:
Hi! Could somebody enlighten me what this is all about: Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes) Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)
If you run with '-b', use tcpdump -x to find the icmp messages for that time period. An ICMP unreachable message is sent back to the source of the packet which requested something unreachable. Like a destination port or address. (That feature is used in traceroute which sends packets to hopefully non-existant ports on a system. When the sender gets back an ICMP port unreachable, it knows it has reached the destination). Snort does some validation on the data in the icmp unreachable which should be the IP header of the offending packet (minimum of 20 bytes) and 64bits of "data" (usually enough to identify what ports are involved for tcp or udp packets). In your case some system, with a marginal IP stack, is sending back crap. Then again, it could be some program trying to cause trouble for anyone listening to these things. %^)
I keep seeing that about twice a day, each day. And I think it is time to find out what is causing this... -- ralf.hildebrandt () innominate com innominate AG Technical Consultant Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- Re: ICMP Unreachable IP short header Phil Wood (Jun 11)
- Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- RE: ICMP Unreachable IP short header Ofir Arkin (Jun 11)
- Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- <Possible follow-ups>
- Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 12)
- Re: ICMP Unreachable IP short header Phil Wood (Jun 11)