Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP - redirect host

From: John Sage <jsage () finchhaven com>
Date: Thu, 4 Jul 2002 11:01:49 -0700
David:

On Thu, Jul 04, 2002 at 09:31:58AM +0100, David Alexandre M. de Carvalho wrote:

Hi!
I have a red hat linux 7.2 configured to be a gateway to a masquerade network using ipchains.
I have lot's of snort logs, but the most frequent are:
"ICMP - redirect host. Classification: Potencially bat traffic".

If I add the rule /sbin/ipchains -N icmp-acc to accept standard ICMP errors, and a few more "config"
will this reduce the size of my logs ? Since they are mostly these messages.


I'm going to say, no, not at all, although the full text of what's in
the snort logs would be helpful to see, as well as your snort version
etc etc etc...


The snort alert is probably this:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect
host";itype:5;icode:1; reference:arachnids,135;
reference:cve,CVE-1999-0265; classtype:bad-unknown; sid:472; rev:1;)

in icmp.rules; if you add a user-defined rule to ipchains, that's
going to affect ipchains, only.


You might try commenting-out that rule in icmp.rules; or, changing it
from an "alert" to a "pass" and start snort with a -o added to the
command line.


Personally, I've got my ipchains rules set up to DENY icmp redirects
anyway:

-A input -s 0.0.0.0/0.0.0.0 5:5 -d 0.0.0.0/0.0.0.0 -i ppp0 -p 1 -j DENY -l

As well as this:

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo "0" > $f
done


which may be redundant...


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: