Snort mailing list archives
Re: ISD171/ping zeros - One legit use
From: "Sid" <s_i_d_j () yahoo com>
Date: Fri, 1 Jun 2001 09:15:24 +0530
Same here. We are a data centre and have a couple of load balancing systems hosted with us and they keep triggering this off. I also get dos-large-icmp very frequently. Siddhartha
FYI... One of our sites has been observing: 09:49:15 snort[2907]: IDS171/ping zeros: x.x.x.x -> y.y.y.y from snort. The content of these ping packets is essentially 1500 bytes of zeros (0's), and were arriving from five IP addresses assigned around the world. In researching the "source" of these packets, we received the following response from this well-known international company: "What you are seeing is a Wide area load balancing system trying to figure out which of our 3 data centers is closest to you. Someone on your
network
requested one of our websites, and our DNS/load balancing system tries probing your nameserver that the initial dns request came from, and instructs the other data centers to do the same to collect path metrics. Subsequent requests from your network result in being handed an IP for the closest/fastest data center. http://www.f5.com has the relavent
information
on how the system works. If you'd like to be put in an exclude list, we can stop the probes to your network. It tries to be as quiet as possible, but is in no way malicious. It does tend to set off some IDS systems though." A search of multiple sites including snort.org and whitehats.org did not find any "negative" comments relative to IDS171, only one "could be an issue". Rich _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ISD171/ping zeros - One legit use Rich Adamson (May 31)
- RE: ISD171/ping zeros - One legit use Ofir Arkin (May 31)
- RE: ISD171/ping zeros - One legit use Rich Adamson (Jun 01)
- RE: ISD171/ping zeros - One legit use Ofir Arkin (Jun 01)
- RE: ISD171/ping zeros - One legit use Rich Adamson (Jun 01)
- Re: ISD171/ping zeros - One legit use Sid (May 31)
- RE: ISD171/ping zeros - One legit use Ofir Arkin (May 31)