Snort mailing list archives
Does ICMP detection work or what?
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Thu, 28 Jun 2001 19:00:22 -0400
We don't allow ICMP in our out of our firewall. I have the Snort server just
inside the firewall. Every day I get TONS of countless alerts on just about
every type of ICMP packet possible that is supposedly coming in through the
firewall. How can this be? If I do a manual ping against the outside of the
firewall, I get no responses so it appears to be blocked. We also checked
the rules on the firewall, and ICMP is definitely blocked in BOTH
directions. Yet my logs are filling up with ICMP alerts. Some examples are
below. We should be seeing NO ICMP alerts, yet we are seeing ALL of these.
Can someone explain? This is a HUGE problem.
Thanks,
Paul
8.64 192 ICMP Echo Reply
48 03016109.ppptlh.nettally.com
-> <one of our servers>
25 n75.OnlineToday.Com
-> <one of our servers>
5.49 122 ICMP Unknown Type
38 03016109.ppptlh.nettally.com
-> <one of our servers>
12 n75.OnlineToday.Com
-> <one of our servers>
1.17 26 MISC Large ICMP Packet
7 adsl-64-171-188-149.dsl.snfc21.pacbell.net
-> <one of our servers>
4 adsl-141-150-207-238.delval.adsl.bellatlantic.net
-> <one of our servers>
1.04 1 ICMP Echo Request
1 04016188.ppptlh.nettally.com
-> <one of our servers>
0.59 13 ICMP Fragment Reassembly Time Exceeded
5 <one of our servers>
-> lsanca1-ar14-013-096.elnk.dsl.gtei.net
2 <one of our servers>
-> host217-32-125-89.hg.mdip.bt.net
0.32 7 ICMP Echo Reply (Undefined Code!)
5 03016109.ppptlh.nettally.com
-> <one of our servers>
1 n75.OnlineToday.Com
-> <one of our servers>
0.27 6 ICMP Unassigned! (Type 1)
2 04016188.ppptlh.nettally.com
-> <one of our servers>
2 03016109.ppptlh.nettally.com
-> <one of our servers>
0.09 2 ICMP Parameter Problem (Undefined Code!)
1 n75.OnlineToday.Com
-> <one of our servers>
1 n75.OnlineToday.Com
-> <one of our servers>
0.09 2 ICMP Information Reply (Undefined Code!)
1 03016109.ppptlh.nettally.com
-> <one of our servers>
1 n75.OnlineToday.Com
-> <one of our servers>
0.09 2 ICMP Echo Request (Undefined Code!)
1 03016109.ppptlh.nettally.com
-> <one of our servers>
1 user-33qs1fp.dialup.mindspring.com
-> <one of our servers>
0.09 2 ICMP Traceroute (Undefined Code!)
1 03016109.ppptlh.nettally.com
-> <one of our servers>
1 n75.OnlineToday.Com
-> <one of our servers>
0.05 1 ICMP Unassigned! (Type 1) (Undefined Code)
1 03016109.ppptlh.nettally.com
-> <one of our servers>
0.05 1 ICMP Router Selection (Undefined Code!)
1 pD9542EB0.dip.t-dialin.net
-> <one of our servers>
0.05 1 ICMP SKIP (Undefined Code!
1 04016188.ppptlh.nettally.com
-> <one of our servers>
0.05 1 ICMP IPV6 I-Am-Here (Undefined Code!
1 NBN-TNT2-pool1-219.coastalnet.com
-> <one of our servers>
0.05 1 ICMP Unassigned! (Type 7) (Undefined Code!)
1 pD9542EB0.dip.t-dialin.net
-> <one of our servers>
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does ICMP detection work or what? Sheahan, Paul (PCLN-NW) (Jun 28)
- Re: Does ICMP detection work or what? Ryan Russell (Jun 28)
- Re: Does ICMP detection work or what? François Désarménien (Jun 29)
- Re: Does ICMP detection work or what? Dragos Ruiu (Jun 29)
- Re: Does ICMP detection work or what? François Désarménien (Jun 29)
- Re: Does ICMP detection work or what? Ryan Russell (Jun 28)