Re: how to further diagnose 'ICMP Destination Unreachable' problem?

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 29 August 2005 10:11 -0700 "Chris W. Parker" <cparker () swatgear com> 
wrote:

> I have a lot of 'ICMP Destination Unreachable Port Unreachable' alerts
> (36%) and I'm wondering what I should do to diagnose and correct the
> problem.
>
> I don't know much about networking so I wasn't able to glean much
> insight from the Snort website
> (http://www.snort.org/pub-bin/sigs.cgi?sid=402).

Sort by destination address (since these ICMP messages are generated in 
response to something that the *destination* purportedly did /previously/), 
and see if they are largely attributable to a single host. If they are, 
chances are that host was port-scanning or was being used as a decoy source 
address for a port scan. If not, they're probably just background noise.

For the future, I suggest using thresholding to limit the number of ICMP 
Destination Unreachable alerts logged, such that only a particularly noisy 
host causes alerts. e.g:

threshold: type both, track by_dst, count 800, seconds 600;

> Thanks,
> Chris.

HTH,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users