Snort mailing list archives
Re: Snort ICMP # 485
From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Mon, 24 Nov 2003 07:13:46 -0600 (CST)
Not sure what you mean by "i have read what is about #485", but: ICMP is often part of a so-called "protocol bender", in that an ICMP packet often occurs as a response to a non-ICMP packet, usually to report some error condition. Some of the most common ICMP messages in this case include "unreachable" messages of various sorts and "timeout" messages for packet time-to-live (which is used for UNIX-based traceroute - see http://www.exit109.com/~jeremy/news/providers/traceroute.html ) or fragment reassembly. The ICMP packets that this rule alerts on are of a slightly different character. An "administratively prohibited" ICMP message is sent when a host - usually a router - has access control configured into it that doesn't allow the traffic that was sent. A simple example: if your border router doesn't allow connections to services that are commonly unencrypted, say telnet, SNMP, POP, and IMAP, you'd have a Cisco ACL that looked like: access-list 101 deny tcp any any eq 23 access-list 101 deny tcp any any eq 110 access-list 101 deny tcp any any eq 143 access-list 101 deny udp any any eq 161 access-list 101 permit ip any any , then the default behavior of your Cisco router when someone tries to telnet in is for the border router (*not* the target host) to return this ICMP message to the initiating host, with a copy of the packet ("Original Datagram Dump") that triggered it in the ICMP packet's payload. In your particular example, host 195.143.234.178 tried to send a packet - it's not clear from the data you submitted what sort of packet - to host 57.72.7.62; however the router with address 57.72.1.170 dropped the packet, and sent this ICMP packet to notify the sending host of the problem. If 195.143.0.0/16 or some subset is your network, then either your host 195.143.234.178 might bear some inspection, or someone might be spoofing (forging) your address space. If 57.72.0.0/16 or some subset is your network, then someone at 195.143.234.178 (or spoofing that address) may have been probing your border. More data would help :) -g On Mon, 24 Nov 2003, Timm Schneider wrote:
Hi all, in my Alerts File there is often the entry #485 d.h. ICMP Administrative Prohibited. On the Snort site i have read what is about #485. Now i have a question what exactly mean this. 11/22-05:59:19.952942 57.72.1.170 -> 195.143.234.178 Date-Hour ??? my IP Packet Filtered Original Datagram Dump 195.143.234.178 -> 57.72.7.62 Why are the IP's not identical ? What means that? Snort becomes tho know the real Spoofing Address? Thanks in advance. Timm Schneider ------------------- Musik-digital-Markt Siegesstr.22a 80802 München Voice: 089/ 51997011 Fax: 089/ 51997012 www.mdmarkt.de HD-Recording Netzwerktechnik Studiotechnik Unsere Mails werden mit Kaspersky AVP Virenscan geprüft. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you b
Glenn Forbes Fleming Larratt Rice University Networking glratt () rice edu ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort ICMP # 485 Timm Schneider (Nov 24)
- Re: Snort ICMP # 485 Glenn Forbes Fleming Larratt (Nov 24)
- Re: Snort ICMP # 485 Timm Schneider (Nov 24)
- Re: Snort ICMP # 485 Glenn Forbes Fleming Larratt (Nov 24)