File: 437.txt

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (60 lines) | stat: -rw-r--r-- 1,673 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Rule:

--

Sid:
437

--

Summary:
This event is generated when a network host generates an ICMP Redirect for the Type of Service and Network datagram.

--

Impact:
Redirect messages are normally an indication that a shorter route to a particular destination exists.  

--

Detailed Information:
ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists.  When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination.  The datagram is then forward to the next hop on the route.  If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic.  The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device.

--

Attack Scenarios:
Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices.  

--

Ease of Attack:
Numerous tools and scripts can generate this type of ICMP datagram.

--

False Positives:
ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists.  

--

False Negatives:
None known
--

Corrective Action:
Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams

--

Contributors:
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski (matt.watchinski@sourcefire.com)

--

Additional References:
RFC792


--