Rule:  
--

Sid:
402

--

Summary:
An ICMP Port Unreachable was detected.

--
Impact:
An ICMP Port Unreachable is not an attack, but may indicate that the source
of the packet was the target of a scan or other malicious activity.

--
Detailed Information:
An ICMP Port Unreachable (ICMP type 3 code 3) indicates that someone or
something tried to connect to a port on a system that was not available
(i.e., no service was running on that port).
This is analagous to RST packets in TCP.  Since UDP does not have an
equivalent, it relies upon ICMP Port Unreachable for this.  This often
indicates someone was scanning for UDP services.

--
Affected Systems:
 
--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
None Known
This kind of packet is common on networks, and may be generated by simple
misconfigurations on either the source or destination, or service outage.

--
False Negatives:
None Known
Not all OSes will respond with ICMP Port Unreachables when no service
is running.

--
Corrective Action:
Examine the activity of the recipient of this packet to see if the
recipient was responsible for scanning or other behavior.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
References:
URL:  http://www.faqs.org/rfcs/rfc792.html
