Snort mailing list archives

DDOS TFN Probe, false positive?

From: Shane Machon <shane () twoplums com au>
Date: Thu, 06 Dec 2001 14:34:14 +1100

Greetings,

Do I have something to be worried about here?

Dec  6 hh:mm:ss myhost snort[21296]: [1:221:1] DDOS TFN Probe
Classification: Attempted Information Leak] [Priority: 2]: {ICMP}
xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy

The scan was from our gateway (xxx.xxx.xxx.xxx), running redhat 7.0 with
snort 1.8.1 rpm. 
The destination to one of our remote servers (yyy.yyy.yyy.yyy). 

xxx.xxx.xxx.xxx actually has ICMP echo requests being denied, could this
be a false possitive? This is the first time i have seen it in my logs
since running snort (about 3 months now).

Am i just being paranoid or could this be a problem....


Any help appreciated!


Cheers,

SHANE MACHON
Network Administrator
Technical Project Manager
Two Purple Plums Pty Ltd.
TPP Internet Development 
(NetNames Australasia) 

  PO Box 334, Manly 
  NSW, 1655, Australia 
  Tel. +61 2 9970 5242 
  Fax. +61 2 9970 8262 
  Eml. shane () twoplums com au 

    ========================================== 
    TPP Internet Development (NetNames Australasia) 
    The International Domain Name Registry 
    Registering Domain Names in over 200 countries 
    http://www.netnames.com.au 
    http://www.internetdevelopment.com.au 
    http://www.twoplums.com.au 
    ==========================================

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DDOS TFN Probe, false positive? Shane Machon (Dec 05)
- Re: DDOS TFN Probe, false positive? John Sage (Dec 05)