Snort mailing list archives

ICMP rule not behaving as expected

From: Neil Dickey <neil () geol niu edu>
Date: Mon, 7 Apr 2003 12:17:45 -0500 (CDT)

I've checked list traffic since 2.0.0rc1 came out and haven't seen any
discussion of this. I apologize if I missed anything, on the list or
in the manual.

The problem: Windows boxes in my home net are UDP scanning for shares
on ports 137 and 138. One of the university administrative machines
has its firewall set to block these, so I get "Destination Unreachable,
Port Unreachable" errors -- lots of them. These entries are flooding
the log and reducing its usefulness. Here is a sample from my alert
log:

[**] [1:407:4] ICMP Destination Unreachable (Undefined Code!) [**]
[Classification: Misc activity] [Priority: 3]
04/07-12:01:09.041982 0:2:33:44:55:6 -> 0:9:88:77:66:55 type:0x800 len:0x78
offending.box.external.net -> my.home.net.99 ICMP TTL:252 TOS:0x0 ID:32283 IpLen:20 DgmLen:106 DF
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
my.home.net.99:137 -> offending.box.26.3:137 UDP TTL:125 TOS:0x0 ID:25359 IpLen:20 DgmLen:78 Len: 50
** END OF DUMP

What I would like to do is configure the Snort rule such that ICMP DU
packets from the offending box would be ignored, along with any such
packets from my home net, but I haven't been able to get it to work.

Here's what I tried first:

In snort.conf I put the line ...

var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]

... and edited the rule in icmp-info.rules like this:

alert icmp !$ICMP_AVOID any -> $HOME_NET any (msg:"ICMP Destination \
Unreachable (Undefined Code!)"; itype: 3; sid:407; classtype:misc- \
activity; rev:4;)

Snort starts and runs fine with this setup, but the ICMP packets from
"offending.box.external.net" continue to be logged. I next tried:

In snort.conf ...

var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
var ICMP_NET !$ICMP_AVOID

... and changed the rule in icmp-info.rules to this form:

alert icmp $ICMP_NET any -> $HOME_NET any (msg:"ICMP Destination \
Unreachable (Undefined Code!)"; itype: 3; sid:407; classtype:misc- \
activity; rev:4;)

None of the rules shipped with Snort use "!" and I thought to remove it
from the rules file and see if that helped. It didn't, and the logs are
still getting packed.

Am I missing something obvious? Have I found a bug, or is it something
else?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP rule not behaving as expected Neil Dickey (Apr 07)
- RE: ICMP rule not behaving as expected Tobias Rice (Apr 07)
- <Possible follow-ups>
- RE: ICMP rule not behaving as expected Neil Dickey (Apr 07)