Rule:

--
Sid:
450

--
Summary:
This event is generated when an ICMP "Time Exceeded" message is generated that has an invalid ICMP code.  

--
Impact:
Informational.  This may indicate that the ICMP message has been crafted.

--
Detailed Information:
An ICMP "Time Exceeded" message is issued when either the maximum number of hops has been exceeded or a timer has expired before all fragments have been received.  The ICMP code value for this message should be 0 or 1.  If a value of greater than 1 for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value.

--
Affected Systems:
This traffic should have no adverse impact.

--
Attack Scenarios:
An attacker may craft an ICMP "Time Exceeded" message with an invalid ICMP code.  A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated.

--
Ease of Attack:
Simple. There are many packages available to generate ICMP messages.

--
False Positives:
Although rare, it is possible to observe an ICMP "Time Exceeded" message with an ICMP code greater than 1 if it is generated by software that does not conform to standards.

--
False Negatives:
None Known.

--
Corrective Action:
If a host or device in your network is generating this message, investigate why it does not have a standard ICMP code.

--
Contributors:
Original rule writer unknown.
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

--