Rule:  

--
Sid:
402

--
Summary:
This event is generated when an ICMP Port Unreachable message was detected.

--
Impact:
Unknown.

--
Detailed Information:
An ICMP Port Unreachable is not an attack, but may indicate that the source
of the packet was the target of a scan or other malicious activity.

An ICMP Port Unreachable (ICMP type 3 code 3) indicates that someone or
something tried to connect to a port on a system that was not available
(i.e., no service was running on that port).

This is analagous to RST packets in TCP.  Since UDP does not have an
equivalent, it relies upon ICMP Port Unreachable for this. This often
indicates someone was scanning for UDP services.

--
Affected Systems:
	All systems
 
--
Attack Scenarios:
An attacker may use a port scanner to determine possible attack vectors
as a prelude to a directed attack against a system.

--
Ease of Attack:
Simple.

--
False Positives:
This kind of packet is common on networks, and may be generated by simple
misconfigurations on either the source or destination, or service outage.

--
False Negatives:
Not all operating systems will respond with ICMP Port Unreachable
messages when no service is running.

--
Corrective Action:
Examine the activity of the recipient of this packet to see if the
recipient was responsible for scanning or other behavior.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
References:

RFC 792:
http://www.faqs.org/rfcs/rfc792.html

--
