Snort mailing list archives
DDOS TFN Probe, false positive?
From: Shane Machon <shane () twoplums com au>
Date: Thu, 06 Dec 2001 14:34:14 +1100
Greetings, Do I have something to be worried about here? Dec 6 hh:mm:ss myhost snort[21296]: [1:221:1] DDOS TFN Probe Classification: Attempted Information Leak] [Priority: 2]: {ICMP} xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy The scan was from our gateway (xxx.xxx.xxx.xxx), running redhat 7.0 with snort 1.8.1 rpm. The destination to one of our remote servers (yyy.yyy.yyy.yyy). xxx.xxx.xxx.xxx actually has ICMP echo requests being denied, could this be a false possitive? This is the first time i have seen it in my logs since running snort (about 3 months now). Am i just being paranoid or could this be a problem.... Any help appreciated! Cheers, SHANE MACHON Network Administrator Technical Project Manager Two Purple Plums Pty Ltd. TPP Internet Development (NetNames Australasia) PO Box 334, Manly NSW, 1655, Australia Tel. +61 2 9970 5242 Fax. +61 2 9970 8262 Eml. shane () twoplums com au ========================================== TPP Internet Development (NetNames Australasia) The International Domain Name Registry Registering Domain Names in over 200 countries http://www.netnames.com.au http://www.internetdevelopment.com.au http://www.twoplums.com.au ========================================== _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DDOS TFN Probe, false positive? Shane Machon (Dec 05)
- Re: DDOS TFN Probe, false positive? John Sage (Dec 05)