Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 4.10 Why do many Up: 4 Rules and Alerts Previous: 4.8 Why does the

4.9 What are all these ``ICMP destination unreachable'' alerts?

ICMP is the acronym for Internet Control Message Protocol They are failed connections ICMP unreach packet carries first 64 bits(8bytes) or more of the original datagrami and the original IP header.

The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address. The ICMP Code indicates why the packet could not be delivered. The original codes are:

  • 0 - net unreachable
  • 1 - host unreachable
  • 2 - protocol unreachable
  • 3 - port unreachable
  • 4 - fragmentation needed and DF bit set
  • 5 - source route failed

As far as why... ``it all depends...''

ICMP Unreachable Error Messages are divided into two groups:

  1. ICMP Unreachable Error Messages issued by routers (all 16 of them)
  2. ICMP Unreachable Error Messages issued by a Host (only 2)

What are the only 2 issued by a host? ICMP Port Unreachable - the destination port on the targeted host is closed (a.k.a. not in a listening state). ICMP Protocol Unreachable - the protocol we were trying to use is not being used on the targeted host.

Both ICMP Type field and Code field indicates why the packets could not be delivered. Some snort ICMP alerts" are informational like the ICMP alerts found in icmp-info.rules. At this time there are no references or even classtypes associated with these rules.

Other rules are more likely to be associated with untoward activity. For example, in icmp.rules you will find: 

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; 
content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158; 
classtype:attempted-recon; sid:465; rev:1;)

which has a reference where the importance might be determined by checking out the arachnids reference. The classtype may indicate more or less the relative importance of the event.

When a destination UDP port is closed on the targeted host, a.k.a. not in a listening state, the targeted host will issue an ICMP Port Unreachable error message back to the offending packets source IP address, given in the query. Some programs use these messages, like traceroute with *nix based machines. Windows based machines (tracert) will default to ICMP Echo requests...

For further information about this, see:

  • IP - ftp://ftp.isi.edu/in-notes/rfc791.txt
  • ICMP - ftp://ftp.isi.edu/in-notes/rfc792.txt
  • TCP - ftp://ftp.isi.edu/in-notes/rfc793.txt
  • UDP - ftp://ftp.isi.edu/in-notes/rfc768.txt

and

http://www.iana.org/assignments/icmp-parameters

Actually, putting this URL somewhere handy is a good idea:

http://www.iana.org/

There is also a good ICMP paper on http://www.sys-security.com/

next up previous
Next: 4.10 Why do many Up: 4 Rules and Alerts Previous: 4.8 Why does the
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.