Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Everything being triggered as 1:486:4 ICMP unreachable

from [David Ryan] Network Security [Permanent Link]
Subject: Re: [Snort-users] Everything being triggered as 1:486:4 ICMP unreachable
Date: Tue, 5 Jun 2007 11:17:14 +0100 
Todd,

Thanks for the reply.  It was indeed a firewall issue - the device I was 
scanning was sending ICMP Host Administratively Unreachable packets when I 
tried certain scans, so I was seeing those packets.  As per the detail below I 
wasn't seeing the original traffic because of a problem with the _NET 
definitions.

Thanks,

David
-----Original Message-----
From: Todd Wease [mailto:twease@sourcefire.com]
Sent: 30 May 2007 13:15
To: David Ryan
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Everything being triggered as 1:486:4 ICMP 
unreachable

David Ryan wrote:


All,



To partly reply to my own question - one of my flaws was keeping
$HOME_NET as 10.0.0.0/8 - this prevented most of my test traffic from
triggering since my tests were coming from $HOME_NET and not
$EXTERNAL_NET.  This was significant where the rule I was testing was
of the form $EXTERNAL_NET -> $HOME_NET


[SNIP]


David



Sounds like it might be a firewall issue.  This response is usually sent
by a firewall to say that it's filter won't allow communication with
that host/port.  It may be allowing ssh to that host (port 22) and may
be allowing pings, but not allowing the host/port combo used in your test.

Todd

**********************  IMPORTANT--PLEASE READ  ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are 
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited.  If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format.        Thank you. 
************************************************************************


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Snort-users] Everything being triggered as 1:486:4 ICMP unreachable, David Ryan <=
Next by Date:  [Snort-users] (no subject), guna
Next by Thread:  [Snort-users] (no subject), guna
Indexes:  [Date] [Thread] [Top] [All Lists]