Snort mailing list archives
Rule 486 Why is this server initiating ICMP traffic?
From: "James R. Marcus" <jmarcus () edhance com>
Date: Tue, 11 May 2010 16:31:14 -0400
Hi, I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the tuning stage. I have a web server in the PCI environment that has been initiating ICMP traffic to external IPs. Here is the alert: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.10.100.21 -> 134.173.121.59 I have read the summary of the rule at http://www.snort.org/search/sid/486?r=1 and understand that "no corrective action is necessary" but am curious about this traffic. Originally I thought that Tomcat could be generating ICMP traffic, but was told on the Tomcat list that Java doesn't do that. I see that the destination IP did access this web server, to register an account. Any thoughts on this? Thanks, James ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)