Rule:

--
Sid:
485

--
Summary:
This event is generated when a router was unable to forward a packet due
to filtering and used the Internet Control Message Protocol to alert
involved hosts.

--
Impact:
Unknown. This particular message is meant only to be informative but can be
indicative of malicious activity (spoofed traffic, DoS).

--
Detailed Information:
A packet sent between two points on a network was administratively
prohibited via filtering of some sort. The host or device performing the
filtering returned an ICMP message informing the apparent source host
that filtering had been done.

--
Affected Systems:
	All systems.

--
Attack Scenarios:
In a DoS attack it is common to to use spoofed source addresses.  If
and when the traffic gets filtered and an ICMP message is returned,
the spoofed source address will be the recipient of the ICMP message.
A similar situation may occur when a large portscan is occuring and an
attempt is made to mask the true source of the scan by using spoofed
source addresses.  

--
Ease of Attack:
Simple. Tools are readily available that can craft arbitrary ICMP
packets. It is also possible to spoof packets using arbitrary
addresses potentially causing intermediary routers to generate ICMP
messages.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
None needed unless messages become excessive or appear to be invalid. 

Determine what traffic caused this particular ICMP message to be
generated and act accordingly.

--
Contributors:
Original rule writer unknown
Snort documentation contributed by Jon Hart <warchild@spoofed.org>
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

RFC 1812:
ftp://ftp.isi.edu/in-notes/rfc1812.txt

--
