Home page logo
/

snort logo Snort mailing list archives

ICMP rule not behaving as expected
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 7 Apr 2003 12:17:45 -0500 (CDT)

I've checked list traffic since 2.0.0rc1 came out and haven't seen any
discussion of this.  I apologize if I missed anything, on the list or
in the manual.

The problem:  Windows boxes in my home net are UDP scanning for shares
on ports 137 and 138.  One of the university administrative machines
has its firewall set to block these, so I get "Destination Unreachable,
Port Unreachable" errors -- lots of them.  These entries are flooding
the log and reducing its usefulness.  Here is a sample from my alert
log:

  [**] [1:407:4] ICMP Destination Unreachable (Undefined Code!) [**]
  [Classification: Misc activity] [Priority: 3] 
  04/07-12:01:09.041982 0:2:33:44:55:6 -> 0:9:88:77:66:55 type:0x800 len:0x78
  offending.box.external.net -> my.home.net.99 ICMP TTL:252 TOS:0x0 ID:32283 IpLen:20 DgmLen:106 DF
  Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
  ** ORIGINAL DATAGRAM DUMP:
  my.home.net.99:137 -> offending.box.26.3:137 UDP TTL:125 TOS:0x0 ID:25359 IpLen:20 DgmLen:78 Len: 50
  ** END OF DUMP


What I would like to do is configure the Snort rule such that ICMP DU
packets from the offending box would be ignored, along with any such
packets from my home net, but I haven't been able to get it to work.

Here's what I tried first:

  In snort.conf I put the line ...
  
    var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
  
  ... and edited the rule in icmp-info.rules like this:

    alert icmp !$ICMP_AVOID any -> $HOME_NET any (msg:"ICMP Destination \
    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
    activity; rev:4;)

Snort starts and runs fine with this setup, but the ICMP packets from
"offending.box.external.net" continue to be logged.  I next tried:

  In snort.conf ...
  
    var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
    var ICMP_NET !$ICMP_AVOID
  
  ... and changed the rule in icmp-info.rules to this form:
  
    alert icmp $ICMP_NET any -> $HOME_NET any (msg:"ICMP Destination \
    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
    activity; rev:4;)

None of the rules shipped with Snort use "!" and I thought to remove it
from the rules file and see if that helped.  It didn't, and the logs are
still getting packed.

Am I missing something obvious?  Have I found a bug, or is it something
else?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]