Snort mailing list archives
ICMP rule not behaving as expected
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 7 Apr 2003 12:17:45 -0500 (CDT)
I've checked list traffic since 2.0.0rc1 came out and haven't seen any discussion of this. I apologize if I missed anything, on the list or in the manual. The problem: Windows boxes in my home net are UDP scanning for shares on ports 137 and 138. One of the university administrative machines has its firewall set to block these, so I get "Destination Unreachable, Port Unreachable" errors -- lots of them. These entries are flooding the log and reducing its usefulness. Here is a sample from my alert log: [**] [1:407:4] ICMP Destination Unreachable (Undefined Code!) [**] [Classification: Misc activity] [Priority: 3] 04/07-12:01:09.041982 0:2:33:44:55:6 -> 0:9:88:77:66:55 type:0x800 len:0x78 offending.box.external.net -> my.home.net.99 ICMP TTL:252 TOS:0x0 ID:32283 IpLen:20 DgmLen:106 DF Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.home.net.99:137 -> offending.box.26.3:137 UDP TTL:125 TOS:0x0 ID:25359 IpLen:20 DgmLen:78 Len: 50 ** END OF DUMP What I would like to do is configure the Snort rule such that ICMP DU packets from the offending box would be ignored, along with any such packets from my home net, but I haven't been able to get it to work. Here's what I tried first: In snort.conf I put the line ... var ICMP_AVOID [my.home.net.0/24,offending.box.external.net] ... and edited the rule in icmp-info.rules like this: alert icmp !$ICMP_AVOID any -> $HOME_NET any (msg:"ICMP Destination \ Unreachable (Undefined Code!)"; itype: 3; sid:407; classtype:misc- \ activity; rev:4;) Snort starts and runs fine with this setup, but the ICMP packets from "offending.box.external.net" continue to be logged. I next tried: In snort.conf ... var ICMP_AVOID [my.home.net.0/24,offending.box.external.net] var ICMP_NET !$ICMP_AVOID ... and changed the rule in icmp-info.rules to this form: alert icmp $ICMP_NET any -> $HOME_NET any (msg:"ICMP Destination \ Unreachable (Undefined Code!)"; itype: 3; sid:407; classtype:misc- \ activity; rev:4;) None of the rules shipped with Snort use "!" and I thought to remove it from the rules file and see if that helped. It didn't, and the logs are still getting packed. Am I missing something obvious? Have I found a bug, or is it something else? Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP rule not behaving as expected Neil Dickey (Apr 07)
- RE: ICMP rule not behaving as expected Tobias Rice (Apr 07)
- <Possible follow-ups>
- RE: ICMP rule not behaving as expected Neil Dickey (Apr 07)