[Snort-sigs] ICMP rules: sid 499,473, 477, 487

From: <m(at)xx>
Date: Thu May 08 2003 - 11:16:07 EDT

Hi there,
before disabling some ICMP rules I would like to see any comment about:

Alerts probably FP are generated by (slightly changes for better-looking): 1. alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP Large ICMP Packet"; dsize: >800;
 reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;) 2. alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP redirect net";itype:5;icode:0;
 reference:arachnids,199; reference:cve,CVE-1999-0265; classtype:bad-unknown; sid:473; rev:1;) 3. alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP Source Quench"; itype: 4; icode: 0;
 classtype:bad-unknown; sid:477; rev:1;) 4. alert icmp any any -> any any
(msg:"ICMP Destination Unreachable (Communication with Destination Network
is Administratively Prohibited)"; itype: 3; icode: 9;  sid:487; classtype:misc-activity; rev:2;)  

Comments:  

1. generated by icmp packets, many not sure 100%, with (the long) payload containing digisle.com system monitoring reference
2. lot of alerts but from 2 ip addresses, not of my home network but of the same internet-class C
3. i don't think this could be a probable attack, never?

Thank you for any advice.  

Max    

---

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri May 9 09:42:17 2003