I recently reviewed my Snort Log and saw an amazing 78 page long log of basically the same thing over and over. Now if someone can tell me what is causing this, that would be great or just tell how to get Snort to ignore the particular host(my cable modem).

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
09/28/02-03:36:46.645937 10.96.216.1 -> 192.168.0.25
ICMP TTL:255 TOS:0x0 ID:51384 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED#
** ORIGINAL DATAGRAM DUMP:
68.81.x.x:0 -> 172.16.1.33:0
TCP TTL:126 TOS:0x0 ID:18560 IpLen:20 DgmLen:48 DF
Seq: 0x23CDC9BB Ack: 0x101060E
** END OF DUMP OF DUMP


The cable modem is for some reason holding an IP which is obviously a private class A which for the life of me I can't seem to port scan or find out what it's doing. The cable modem is 10.96.216.1. I have no idea what 172.16.1.33 is, all I know is it's private.

--tarballedtux

In snort.conf:
If you for instance have "var HOME_NET [68.81.38.0/24]" (public interface address, .237/32 or .0/24), add "include <snort custom rules dir>/pass.rules". In <snort custom rules dir>/pass.rules:
pass icmp $HOME_NET any -> any any (msg:"ICMP Destination Unreachable (Communication Administratively Prohibited)"; itype: 3; icode: 13
should do it, else just substitute the HOME-NET in the rule for the IP address of the public interface. You could also try BPF filtering.

If you tcpdump a "conversation" between you and these hosts it's easier to determine why 3/13's are sent. IIRC 3/13's are sent when access is denied to an UDP port (type 3) because it's being filtered (code 13). Kinda like when access is denied (type 3) to an UDP port cuz it ain't open (code 3).

Sorry that was a little confusing unSpawn. My HOMENET is 192.168.0.0/24 The 68.81.x.x is public IP. Thats was my mistake for not editing it in the first place, but could just remove that from your previous post. ANyway I'm completeint gconfused about the IPs that are showing up in my logs. Here's my topology:

|||
|||
---------------------
| cable modem
| 10.96.216.1
| (I think)
---------------------
||
|| --- eth1=68.81.x.x
||
----------------
Linux router|
----------------
||
||---192.168.0.0/24
||
||
-------
HUB | -------------Nodes
-------
|
|
|
Nodes




Maybe that helps. I still can't figure out where 172.16.1.33 came from.

--tarballedtux

If I read the ascii dump correctly it says "10.96.216.1 warn 192.168.0.25, sending UDP to 172.16.1.33 over eth1 is denied/filtered". This looks to me like you're not blocking traffic to the Class B address range on the Linux router/NAT fw, else it couldn't even reach 10.96.216.1.

So for some reason unknown, a box behind my firewall or maybe the firewall itself is trying to send to a 172.x.x.x address? Hmm, I guess I should just block all private addresses. 10.x.x.x 172.x.x.x, atleast I will allow the one cable modem IP.


--tarballedtux

Aw cummon dude, you're the one with the CCNA training :-] Provided your ISP does it's part in egress filtering, ok then it prolly stops at the next hop, but if not/or anyway how does *your* network know not to accept in/outbound private ranges then if you don't filter for 'em?

Btw do you run snort in binary mode and with tcpdump logs, or ASCII only? If you log all traffic it should be fairly easy to load the dump into ethereal and look for uh, periodicity, and addresses then run a dump on the host, or attach a BPF filter to a tcpdump to finetune something like "dest host 172.16.1.33" or "src host <IP address> and dest host 172.16.1.33"...