Snort mailing list archives
Rule 486 Why is this server initiating ICMP traffic?
From: "James R. Marcus" <jmarcus () edhance com>
Date: Tue, 11 May 2010 16:31:14 -0400
Hi,
I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the tuning stage.
I have a web server in the PCI environment that has been initiating ICMP traffic to external IPs. Here is the alert:
[1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 10.10.100.21 -> 134.173.121.59
I have read the summary of the rule at http://www.snort.org/search/sid/486?r=1 and understand that "no corrective
action is necessary" but am curious about this traffic.
Originally I thought that Tomcat could be generating ICMP traffic, but was told on the Tomcat list that Java doesn't do
that. I see that the destination IP did access this web server, to register an account.
Any thoughts on this?
Thanks,
James
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)