Page 4 of 4 FirstFirst ... 234
Results 31 to 33 of 33

Thread: ICMP Destination Unreachable (Communication Administratively Prohibited)

  1. #31
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by tolstoy


    If ident is triggering these snort alerts, the original destination port listed in the alert should be 113. In some of the alerts you have posted, I have seen other destination ports referneced beside 113. I would not chalk this one up to ident traffic originating from your sendmail box unless all of your alerts specifically reference 113 (unless of course ident uses other ports I am unaware of).
    Gee thanks tolstoy, that just made my day

    Fact of the matter is, we still have one or two slipping through (even after we reconfigured the firewall), we did manage to stop about 90% of the messages though. We can't shutdown all Ident coming out of sendmail because when we tried, all inbound e-mail was stopped. We are still investigating the one or two that are coming in but the may be because of this port thing, or something else is sending out a request.

    The adventure continues.....
    DjM

  2. #32
    I'm still seeing these occassionaly alerts as well. They are being generated by three boxes on my network, one being a sendmail box (just like you), but the other two are Win2k Pro, and are the result of web browsing. I'm a bit worried/perplexed because the traffic triggering these alerts is only coming from those two LAN boxes and is going out over port 80. Right now I'm staring to run daily tcpdumps to try to see what the heck is in the packets that trigger these remote routers to respond with an ICMP message. Hopefully its all benign stuff.

  3. #33
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by tolstoy
    Right now I'm staring to run daily tcpdumps to try to see what the heck is in the packets that trigger these remote routers to respond with an ICMP message. Hopefully its all benign stuff.
    I agree, I believe these to be benign as well, we would just like to locate the root cause (other than the Ident stuff). We are currently running a 'snoop' on our firewall to see what that is going to tell us.

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •