--On 29 August 2005 10:11 -0700 "Chris W. Parker" <cparker@swatgear.com>
wrote:
I have a lot of 'ICMP Destination Unreachable Port Unreachable' alerts
(36%) and I'm wondering what I should do to diagnose and correct the
problem.
I don't know much about networking so I wasn't able to glean much
insight from the Snort website
(http://www.snort.org/pub-bin/sigs.cgi?sid=402).
Sort by destination address (since these ICMP messages are generated in
response to something that the *destination* purportedly did /previously/),
and see if they are largely attributable to a single host. If they are,
chances are that host was port-scanning or was being used as a decoy source
address for a port scan. If not, they're probably just background noise.
For the future, I suggest using thresholding to limit the number of ICMP
Destination Unreachable alerts logged, such that only a particularly noisy
host causes alerts. e.g:
threshold: type both, track by_dst, count 800, seconds 600;
Thanks,
Chris.
HTH,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
