[Bro] icmp_time_exceeded
Christoph Goeldi
goeldich at ee.ethz.ch
Wed Feb 16 01:27:19 PST 2005
hi vern
isn't there a possibility (an event) to recognize icmp requests dropped
by the firewall. like the event connection_attempt in case of tcp.
for example this would be useful to detect the welchia worm which scans
for victims via icmp.
thanx
christoph
Zitat von Vern Paxson <vern at icir.org>:
> > what does the icmp_time_exceeded event mean?
>
> It's its own ICMP message (it indicated a datagram whose TTL expired, so
> for example traceroute uses these) - it does not have any relationship to
> other ICMP's timing out.
>
> Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list