Snort mailing list archives
RE: Snort FAQ 1.8
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 10 Jul 2001 15:07:22 -0700
I have found this to be an accurate source for ICMP codes: http://www.isi.edu/in-notes/iana/assignments/icmp-parameters There are also similar ones for protocols and other good stuff. I keep a full list of the ICMP codes in my PalmIII (I admit it, I can't keep them all in my head without crib-notes. Oh the shame!) I won't spam it to the list, but if anyone wants it, let me know. It is better formatted for a PDA and I've got the RFCs listed as well. Toby
-----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Tuesday, July 10, 2001 2:29 PM To: Ramin Alidousti Cc: Dragos Ruiu; roesch () sourcefire com; snort-users () lists sourceforge net; Denis.Ducamp () hsc fr Subject: Re: [Snort-users] Snort FAQ 1.8 I just had to provide a longer and more nauseating answer to question 4.8: 4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? A: ICMP is the acronym for Internet Control Message Protocol The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address. The ICMP Code indicates why the packet could not be delivered. The original codes are: 0 net unreachable 1 host unreachable 2 protocol unreachable 3 port unreachable 4 fragmentation needed and DF bit set 5 source route failed One source of port unreachable messages (code=3) is a successful (icmp based) traceroute. A code of 3 tells the traceroute program that it has finally reached the host in question (only because it picked a service port that is NOT in use on the destination host). The ICMP unreachable packet contains a data portion reserved for the original IP header (normally 20 bytes, but possibly with IP options) PLUS 64 bits (8 bytes) of whatever followed the IP header. If the offending packet was TCP or UDP based, then the first 4 bytes (of the 8 bytes) will contain the original source port and destination port (which are 16 bit quantities). For further information about see IP ftp://ftp.isi.edu/in-notes/rfc791.txt ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt TCP ftp://ftp.isi.edu/in-notes/rfc793.txt UDP ftp://ftp.isi.edu/in-notes/rfc768.txt On Tue, Jul 10, 2001 at 03:49:58PM -0400, Ramin Alidousti wrote:The answer of 4.8 suggests that the ICMP carries the first 64 _bytes_ of the original datagram. I believe that it should be "the first 64 data _bits_" :-) Ramin On Mon, Jul 09, 2001 at 10:30:15PM -0700, Dragos Ruiu wrote:Send me your complaints. :-) Or translations... cheers, --dr_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort FAQ 1.8 Dragos Ruiu (Jul 09)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Blake Frantz (Jul 10)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Phil Wood (Jul 10)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)
- Re: Snort FAQ 1.8 Dragos Ruiu (Jul 10)
- Re: Snort FAQ 1.8 Blake Frantz (Jul 10)
- <Possible follow-ups>
- RE: Snort FAQ 1.8 Kohlenberg, Toby (Jul 10)
- Re: Snort FAQ 1.8 Phil Wood (Jul 10)
- RE: Snort FAQ 1.8 Burleson, Lee (IA) (Jul 11)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 11)
- Re: Snort FAQ 1.8 Phil Wood (Jul 11)
- Re: Snort FAQ 1.8 Paul Howell (Jul 20)
- Re: Snort FAQ 1.8 Dragos Ruiu (Jul 20)
- Re: Snort FAQ 1.8 Ramin Alidousti (Jul 10)