Snort is logging alerts when ICMP type 0 echo reply messages come back
in into my network. I'm okay with that as long as the echo request was
sent from my network. But I'm a little confused about the SID
description of this type of alert

"This event is generated when a network host generates an ICMP Echo
Reply with an invalid or undefined ICMP Code

http://www.snort.org/snort-db/sid.html?id=40

This snort rule is looking for a ICMP packet with itype:0

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply
(Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;

But isn't this type of ICMP message expected back from the machine that
is replying to the request

"ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo
Reply datagrams. This type of message is used to determine if a host is
active on the network.

I guess I'm not sure why it is considered invalid or undefined? Just
wondering..

- ro


------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program
Does SourceForge.net help you be more productive? Does i
help you create better code? SHARE THE LOVE, and help us hel
YOU! Click Here: http://sourceforge.net/donate
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user