Rule: -- Sid: 450 -- Summary: This event is generated when an ICMP "Time Exceeded" message is generated that has an invalid ICMP code. -- Impact: Informational. This may indicate that the ICMP message has been crafted. -- Detailed Information: An ICMP "Time Exceeded" message is issued when either the maximum number of hops has been exceeded or a timer has expired before all fragments have been received. The ICMP code value for this message should be 0 or 1. If a value of greater than 1 for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. -- Affected Systems: This traffic should have no adverse impact. -- Attack Scenarios: An attacker may craft an ICMP "Time Exceeded" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. -- Ease of Attack: Simple. There are many packages available to generate ICMP messages. -- False Positives: Although rare, it is possible to observe an ICMP "Time Exceeded" message with an ICMP code greater than 1 if it is generated by software that does not conform to standards. -- False Negatives: None Known. -- Corrective Action: If a host or device in your network is generating this message, investigate why it does not have a standard ICMP code. -- Contributors: Original rule writer unknown. Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References: --