[Bro] icmp_time_exceeded

Christoph Goeldi goeldich at ee.ethz.ch
Wed Feb 16 01:27:19 PST 2005

hi vern

isn't there a possibility (an event) to recognize icmp requests dropped
by the firewall. like the event connection_attempt in case of tcp.
for example this would be useful to detect the welchia worm which scans
for victims via icmp.


Zitat von Vern Paxson <vern at icir.org>:

> > what does the icmp_time_exceeded event mean?
> It's its own ICMP message (it indicated a datagram whose TTL expired, so
> for example traceroute uses these) - it does not have any relationship to
> other ICMP's timing out.
> 		Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list