Snort mailing list archives
AW: (Snort-users) snort alert
From: <sandro.poppi () wacker com>
Date: Wed, 17 Oct 2001 08:37:00 +0200
çHi, I have been run snort for a few days. In snort alert log file contain this msg [**] [1:472:1] ICMP redirect host [**] [Classification: Potentially Bad Traffic] [Priority: 2] 10/17-12:57:14.059790 xxx.xxx.xxx.2 -> xxx.xxx.xxx.28 ICMP TTL:2 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:5 Code:1 REDIRECT [Xref => http://www.whitehats.com/info/IDS135] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0265] What does it mean? why snort tell us to know bad traffic between 2 IP Address? did it have any serious about my network configuration?
This alert is generated because a router (normally the default gateway) sends a ICMP redirect which means that it is not responsible for forwarding the sent packet but knows another router which is, telling the station to use the other router. If you have more than one router in the corresponding network segment and the address given in the redirect packet is a known router you can simply ignore the message, but if you only have one router in the segment or the ip address is not a known router you should carefully have a look on the given ip addresses (src and in the redirect packet). For more information take a look on the given links. The "Classification: Potentially Bad Traffic" is defined in /etc/snort/rules/classification.config (on Linux) and is predefined to classify the packets and combining it with a priority setting. According to Brian's posts last week (I think) the classifications should be re-done in a more standard way. HTH, Sandro _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: (Snort-users) snort alert sandro.poppi (Oct 16)