Snort mailing list archives
Re: Rule 486 Why is this server initiating ICMP traffic?
From: "James R. Marcus" <jmarcus () edhance com>
Date: Tue, 11 May 2010 17:01:24 -0400
Yes it does, thanks On May 11, 2010, at 4:38 PM, JJ Cummings wrote: If you follow the logic of the event.. this is a RESPONSE from 10.10.100.21 to 134.173.121.59 saying "Destination Unreachable Communication with Destination Host is Administratively Prohibited"... so the originator of the ICMP request is actually 134.173.121.59. Make sense? JJC On Tue, May 11, 2010 at 2:31 PM, James R. Marcus <jmarcus () edhance com<mailto:jmarcus () edhance com>> wrote: Hi, I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the tuning stage. I have a web server in the PCI environment that has been initiating ICMP traffic to external IPs. Here is the alert: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.10.100.21 -> 134.173.121.59 I have read the summary of the rule at http://www.snort.org/search/sid/486?r=1 and understand that "no corrective action is necessary" but am curious about this traffic. Originally I thought that Tomcat could be generating ICMP traffic, but was told on the Tomcat list that Java doesn't do that. I see that the destination IP did access this web server, to register an account. Any thoughts on this? Thanks, James ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users :: James R. Marcus | Director, IT Operations :: Edhance | jmarcus () edhance com<x-msg://103/jmarcus () edhance com> :: v: 617-475-5360 | m: 914-772-8533 :: web: www.edhance.com<http://www.edhance.com/>
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)