Snort mailing list archives
RE: ICMP Destination Unreachable
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Wed, 05 Feb 2003 16:45:13 -0600
Actually, I think the sources of the icmps are outside his network and the destinations, of which there are only two, are the machines that he should be investigating.
Ken At 02:27 PM 2/5/03 -0800, twig les wrote:
So wait a sec. You have over a thousand alerts a day for almost a week and there are only 14 sources? All internal? I would run, not walk, to those machines and find out what in the name ofZeus they are trying to connect to. --- Dennis Gorman <dennisg () northshoreagency com> wrote:> So you are saying that the connections that are causing this alert are being> started by a system on my network? > > The destinations are my snort box and my web server. There are also 14 > different sources. > > -----Original Message----- > From: snort-users-admin () lists sourceforge net > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kenneth G. > Arnold > Sent: Wednesday, February 05, 2003 4:14 PM > To: snort-users () lists sourceforge net > Subject: Re: [Snort-users] ICMP Destination Unreachable > > > I have been tracking down some of them myself recently. Someone in your > network has attempted to connect to a location within someone else's > network that a device in their network will not allow. That device returns > this icmp packet to tell you this. The destination of the icmp packet is > the ip address within your network that tried to access the forbidden > location. > > Now the tough part of this is to determine what the person at the > destination IP address within your network did to provoke this. Snort may > or may not have caught it depending on your settings and the type of > activity. I go to my firewall logs and grep for all the activity of the > user in my network. Then I look through that information for the date and > time of the icmp packets and try to determine what the user was doing to > provoke the icmp packets and if that activity is something I want to > happen. The one I discovered today was 294 ICMP Destination Unreachable > (Communication with Destination Network is Administratively Prohibited) > caused by a user within our network doing a UDP portscan on their > network. The portscan probably tried to connect to locations that were > blocked in their network. > Ken Arnold > > At 03:45 PM 2/5/03 -0500, Dennis Gorman wrote: > >I have received over 7000 "ICMP Destination Unreachable (Communication > >Administratively Prohibited)" alerts in the last 6 days. I look on > >snort.org for info about this alert, but I'm still unsure if this is > >something I need to worry about, and if not how can I remove this alert? > > > >I'm run snort on a MS Windows 200 Server. > > > > > >Thanks, > > > >Dennis Gorman > >Network Manager > >North Shore Agency
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Destination Unreachable Dennis Gorman (Feb 05)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- RE: ICMP Destination Unreachable Dennis Gorman (Feb 05)
- RE: ICMP Destination Unreachable twig les (Feb 05)
- RE: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- RE: ICMP Destination Unreachable Dennis Gorman (Feb 05)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Feb 05)
- Re: ICMP Destination Unreachable twig les (Feb 05)
- Re: ICMP Destination Unreachable Matt Kettler (Feb 05)
- <Possible follow-ups>
- ICMP Destination Unreachable Always Bishan (Mar 08)
- Re: ICMP Destination Unreachable Kenneth G. Arnold (Mar 08)
- Re: ICMP Destination Unreachable Erek Adams (Mar 08)
- Re: ICMP Destination Unreachable Matt Kettler (Mar 08)