Table of Contents
Advertisement
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
ICMP
7.0 XML Attribute
NSC/SC/C/ICMPAnalysis/LogICMP
Description
The ICMP protocol is used by a variety of normal
and hacker activities. Logging all of it generates
a lot of information. The Network Sensor has the
ability to filter ICMP traffic and only log specific
ICMP events. LogICMP tells the Network Sensor
to filter, and to log ICMP traffic. There are four
arguments. The first is the ignore or log setting
and that is followed by the network source
declaration. The third argument is the ICMP type
value. This is where echo requests, netmask
requests and a variety of other ICMP traffic can
be specified. A value of 256 is used as a
wildcard. The fourth argument needs to be set to
256 unless it is required to filter on specific ICMP
protocol three packets (see examples below).
The Network Sensor can accept a maximum of
sixteen ICMP rules. Events of this type are
named ICMP.
Technical Notes
The maximum number of ICMP rules is 16.
For convenience, a simple list of ICMP protocol
values is included:
Type Code
Name
Reference
--
-----
---------
0
-
ECHO REPLY
3
0
DESTINATION UNREACHABLE
3
1
HOST UNREACHABLE
3
2
PROTOCOL UNREACHABLE
3
3
PORT UNREACHABLE
3
4
FRAGMENTATION NEEDED
3
5
SOURCE ROUTE FAILED
3
6
NETWORK UNKNOWN
3
7
HOST UNKNOWN
3
8
HOST ISOLATED
3
9
PROHIBITED NETWORK [RFC1256]
3
10
PROHIBITED HOST
3
11
NETWORK TOS
3
12
HOST TOS
3
13
ADMIN PROHIBITED FILTER
4
-
SOURCE QUENCH
11
-
TIME EXCEEDED
12
-
DATA PROBLE
13
-
TIMESTAMP REQUEST
14
-
TIMESTAMP REPLY
15
-
INFO REQUEST
16
-
INFO REPLY
17
-
NETMASK REQUEST
18
-
NETMASK REPLY
30
-
TRACEROUTE
Creating Network Sensor Policies and Signatures A-19
6.x to 7.x Mappings
[RFC1256]
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?