Snort mailing list archives
Re: ICMP Unreachable IP short header
From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Mon, 11 Jun 2001 19:38:35 +0200
On Mon, Jun 11, 2001 at 08:37:05AM -0600, Phil Wood wrote:
Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes) Jun 10 20:10:31 stahlw06 snort[19661]: ICMP Unreachable IP short header (18 bytes)If you run with '-b', use tcpdump -x to find the icmp messages for that time period. An ICMP unreachable message is sent back to the source of the packet which requested something unreachable. Like a destination port or address. (That feature is used in traceroute which sends packets to hopefully non-existant ports on a system. When the sender gets back an ICMP port unreachable, it knows it has reached the destination). Snort does some validation on the data in the icmp unreachable which should be the IP header of the offending packet (minimum of 20 bytes) and 64bits of "data" (usually enough to identify what ports are involved for tcp or udp packets). In your case some system, with a marginal IP stack, is sending back crap. Then again, it could be some program trying to cause trouble for anyone listening to these things. %^)
Nothing is logged, since no alert or log rule was triggered: 06/10-18:34:45.726287 [**] IDS239/pcanywhere-start [**] 134.169.73.43:2210 -> 134.169.69.242:5632 06/10-18:54:58.051610 [**] IDS239/pcanywhere-start [**] 134.169.73.43:3840 -> 134.169.69.205:5632 06/10-21:41:59.707592 [**] WEB-IIS .cnf access [**] 212.144.234.103:1126 -> 134.169.69.226:80 06/11-03:47:41.732398 [**] IDS221/http-cgi-finger [**] 206.101.206.11:1592 -> 134.169.69.226:80 -- ralf.hildebrandt () innominate com innominate AG Technical Consultant Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- Re: ICMP Unreachable IP short header Phil Wood (Jun 11)
- Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- RE: ICMP Unreachable IP short header Ofir Arkin (Jun 11)
- Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 11)
- <Possible follow-ups>
- Re: ICMP Unreachable IP short header Ralf Hildebrandt (Jun 12)
- Re: ICMP Unreachable IP short header Phil Wood (Jun 11)