Home page logo

snort logo Snort mailing list archives

ICMP rule not behaving as expected
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 7 Apr 2003 12:17:45 -0500 (CDT)

I've checked list traffic since 2.0.0rc1 came out and haven't seen any
discussion of this.  I apologize if I missed anything, on the list or
in the manual.

The problem:  Windows boxes in my home net are UDP scanning for shares
on ports 137 and 138.  One of the university administrative machines
has its firewall set to block these, so I get "Destination Unreachable,
Port Unreachable" errors -- lots of them.  These entries are flooding
the log and reducing its usefulness.  Here is a sample from my alert

  [**] [1:407:4] ICMP Destination Unreachable (Undefined Code!) [**]
  [Classification: Misc activity] [Priority: 3] 
  04/07-12:01:09.041982 0:2:33:44:55:6 -> 0:9:88:77:66:55 type:0x800 len:0x78
  offending.box.external.net -> my.home.net.99 ICMP TTL:252 TOS:0x0 ID:32283 IpLen:20 DgmLen:106 DF
  my.home.net.99:137 -> offending.box.26.3:137 UDP TTL:125 TOS:0x0 ID:25359 IpLen:20 DgmLen:78 Len: 50

What I would like to do is configure the Snort rule such that ICMP DU
packets from the offending box would be ignored, along with any such
packets from my home net, but I haven't been able to get it to work.

Here's what I tried first:

  In snort.conf I put the line ...
    var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
  ... and edited the rule in icmp-info.rules like this:

    alert icmp !$ICMP_AVOID any -> $HOME_NET any (msg:"ICMP Destination \
    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
    activity; rev:4;)

Snort starts and runs fine with this setup, but the ICMP packets from
"offending.box.external.net" continue to be logged.  I next tried:

  In snort.conf ...
    var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
  ... and changed the rule in icmp-info.rules to this form:
    alert icmp $ICMP_NET any -> $HOME_NET any (msg:"ICMP Destination \
    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
    activity; rev:4;)

None of the rules shipped with Snort use "!" and I thought to remove it
from the rules file and see if that helped.  It didn't, and the logs are
still getting packed.

Am I missing something obvious?  Have I found a bug, or is it something

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]