Snort mailing list archives
Re: ICMP Destination Unreachable
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 05 Feb 2003 17:46:44 -0500
Ok, it sounds like you need a good course in TCP/IP and how networks work.. If you don't know what this packet means already, most snort output is going to be hard to decipher in a meaningful way.
However, I'll start by explaining to you what ICMP destination unreachable packets are, and what that type code means, and follow up with a detailed explanation of one of these alerts detected by my snort sensor.
ICMP is the internet protocol used for carrying a variety of messages, including error messages. One kind of error message is "destination unreachable".
In general Destination unreachable is generated by a router or system whenever a packet can't reach it's intended destination.
The "Communication administratively prohibited" sub-type of destination unreachable means that a router or firewall explicitly refused to allow a packet to pass. The source of the unreachable packet is the router denying passage, and the destination is the source of the original packet that was refused.
I get lots of these as well, most don't matter, but you really have to look at the datagram dump portion to see what packet was denied.
Here's an example from my setup, with the outside IPs changed (no sense in covering up that the inside IP of my mailserver is 192.168.50.2, that's present in the headers of this very message).
[**] [1:486:2] ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 02/04-01:45:15.644592 111.111.111.111 -> 192.168.50.2 ICMP TTL:50 TOS:0x0 ID:60059 IpLen:20 DgmLen:56 DFType:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED
** ORIGINAL DATAGRAM DUMP: 192.168.50.2:36026 -> 111.111.222.222:113 TCP TTL:46 TOS:0x0 ID:47708 IpLen:20 DgmLen:60 DF Seq: 0xB03DCD16 Ack: 0x6036E73 ** END OF DUMPThis tells me that my mailserver (192.168.50.2) attempted to send a TCP packet to another mailserver (111.111.222.222) on port 113 (ident). This packet was refused by a router (111.111.111.111), which generated the unreachable message and sent it back to my mailserver.
Now it's quite common for networks to block ident. There's been lots of vulnerable identd's out there. It's also quite normal for mailservers to run ident checks against servers that are delivering mail to them. Thus, this packet is not particularly concerning, unless of course I had disabled ident checks on my mailserver :)
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Destination Unreachable Dennis Gorman (Feb 05)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- RE: ICMP Destination Unreachable Dennis Gorman (Feb 05)
- RE: ICMP Destination Unreachable twig les (Feb 05)
- RE: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- RE: ICMP Destination Unreachable Dennis Gorman (Feb 05)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- Re: ICMP Destination Unreachable twig les (Feb 05)
- Re: ICMP Destination Unreachable Matt Kettler (Feb 05)
- <Possible follow-ups>
- ICMP Destination Unreachable Always Bishan (Mar 08)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Mar 08)
- Re: ICMP Destination Unreachable Erek Adams (Mar 08)
- Re: ICMP Destination Unreachable Matt Kettler (Mar 08)