Snort mailing list archives
Re: Newbie: why so many ICMPs?
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Thu, 08 Jul 2004 09:44:17 +0100
--On 07 July 2004 20:50 -0600 John Bertagnolli <ijbert () mac com> wrote:
I spent yesterday loading Fedora 2, snort and ACID. I have everything working like I think it's supposed to. When I log into my ACID page, I see literally hundreds of "ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited" messages. The source address is my IP, the destination address varies. These messages are 90% of what I am seeing in ACID. I can see these entries logged if I try to ftp to my machine, having ftp off. My thought is that the service is denied, the ICMP is generated, and my router is interfering. I have a Netgear ADSL Firewall Router DG834. I have turned off NAT and added firewall holes to allow all traffic inbound and output. Is this a reasonable assumption? I could buy a new ADSL modem. Barring that, could I turn these responses off, since they aren't getting past my modem/router? Or is that something I shouldn't do?
You haven't really given us enough details to go on, but my guess is that you're allowing virtually everything in (through your router) from the Internet to your internal hosts, and that these hosts are rejecting incoming portscans and suchlike with the ICMP messages that you're seeing in ACID. Note that if you've enabled the firewall during the Fedora installation, it will, IIRC, generate ICMP Admin Prohibited messages for incoming connections that it rejects.
Thanks, John
HTH, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie: why so many ICMPs? John Bertagnolli (Jul 07)
- Re: Newbie: why so many ICMPs? Alex Butcher, ISC/ISYS (Jul 08)
- Re: Newbie: why so many ICMPs? John Bertagnolli (Jul 08)
- Re: Newbie: why so many ICMPs? Alex Butcher, ISC/ISYS (Jul 08)