Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Alerts

from [Bill Parker] Network Security [Permanent Link]
Subject: Re: [Snort-users] Alerts
Date: Wed, 26 Jan 2005 10:37:37 -0800 

----- Original Message ----- 
From: "Hugo Chun Hin Lai" <hchlai@netscape.net>
To: "David Young" <korang@gmail.com>; <snort-users@lists.sourceforge.net>
Sent: Wednesday, January 26, 2005 8:22 AM
Subject: RE: [Snort-users] Alerts



David, I have also seen a lot of these ICMP packets on my network. In

fact, I have also seen "ICMP Destination Unreachable Communication
Administratively Prohibited" alerts on my network as well. Sig 485 and sig
486 seems to be related, but I have not figured out the exact differences. I
have read RFC 1812 but I am still very lost. I am currently checking my
routers' ACL and firewall rules to see if I am denying any traffic that's
particular causing the alert. The only worry that I have is spoofed traffic.
Can anybody give me some pointers on how to investigate these alerts (ICPM
Destination Unreachable Communication Administratively Prohibited & ICMP
Destination Unreachable Communication with Destination Host is
Administratively Prohibited)?

Actually, the first step you probably want to do is to prevent your router
from issuing messages about 'ip unreachables', and if you are using a cisco
based router, you can apply the command 'no ip unreachables' to every
interface that you have inbound from the internet and the
interface which actually serves as the gateway for your LAN.  Another thing
which would help would be to turn off 'directed broadcasts'
in the router as well (leads to a potential Smurf attack), this is also done
on the router interfaces in question.  Other routers may have these features
as well, so I would check with the vendors also.

Make sure that you back up your existing router configuration BEFORE
attempting any of these things (either via TFTP) or a copy and
paste operation into notepad, vi, etc.

If you are in a cisco environment, a couple of good books to get are:

The Cisco Cookbook - O'Reilly (ISBN 0596003676) and

Hardening Cisco Routers - O'Reilly (ISBN 0596001665)

Bill



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Snort 2.3.0 Final released!, Frank Knobbe
Next by Date:  [Snort-users] ACID Dates, James M. Driskell
Previous by Thread:  RE: [Snort-users] Alerts, Hugo Chun Hin Lai
Next by Thread:  [Snort-users] Problem with Snort using ACID, Timo_Ochs
Indexes:  [Date] [Thread] [Top] [All Lists]