I manage a webserver, it handles a couple of websites, mail, ftp, ssh. Do I have any need to allow any incoming ICMP?

Also where can I find good information on decoding the packets that are logged by my snort. For example TOS's TTL's etc, I don't know how to interpret those as negative or otherwise. Thanks for any and all help!

Mike.

Simple answer is Yes, disable them all and you'll have network issues. "that's an understatement"

There are 18 types of ICMP messages used on the network.
Some are obsolete others are useful and others are essential.

Here's a quick list of what should be allow and what not.

Type 0 "Echo reply" = allow it
Type 3 "Destination Unreachable" = allow it
Type 4 "Source quench" = allow it
Type 5 "Redirect" = Deny it (only if you have static routes setup on the routers, otherwise allow it)
Type 8 "Echo Request" = Deny it
Type 9 "Route Advertisement" = allow it
Type 10 "Route Solicitation" = Deny it
Type 11 "Time exceeded" = Deny it
Type 12 "Parameter Problem" allow it
Type 13 "Timestamp request" = Deny it
Type 14 "Timestamp reply" = allow it
Type 17 "Address Mask request" = Deny it
Type 18 "Address Mask reply" = Allow it

To understand the logs from snort you'll need to understand TCP/IP and all parts of the OSI.
Then things like TOS and TTL will be clear to you.
Best suggestion is to buy a book on it.

/Raz