ICMP rule triggered by UDP packet

["Kern, Daniel P. x1449" <KernDP () co monterey ca us>]

Hello everyone,

This one has baffled me for awhile, so I thought I'd submit this to the group, as I may be missing something obvious.

Here's the rule:

alert icmp !$LEGIT_SRC any -> any any (msg:"LOCAL Illegitimate ICMP traffic"; detection_filter:track by_src, count 1, 
seconds 60; classtype:unusual-client-port-connection; sid:10002161; rev:2; )

It generally works fine.  However, here's one packet that pops below.  A UDP packet!  172.28.7.8 is in $LEGIT_SRC and 
it doesn't make any difference, the rule still pops.

------------------------------------------------------------------------
Count:90 Event#4.273137 2013-02-05 18:29:35
LOCAL Illegitimate ICMP traffic
172.28.7.8 -> 157.56.106.184
IPVer=4 hlen=5 tos=0 dlen=89 ID=41995 flags=0 offset=0 ttl=255 chksum=23670
Protocol: 17 sport=30811 -> dport=3544

len=69 chksum=37658
Payload:
00 01 00 00 52 1C 58 31 5D 86 5D 94 00 60 00 00 ....R.X1].]..`..
00 00 08 3A FF FE 80 00 00 00 00 00 00 00 00 FF ...:............
FF FF FF FF FE FF 02 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 02 85 00 7D 38 00 00 00 00          .......}8....



Any thoughts?

Thanks for any insight!  --Dan

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!