Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Heavy ICMP Traffic

From: Nicholas Bachmann <nbachmann () mail davison k12 mi us>
Date: Mon, 04 Nov 2002 16:09:20 -0500
Brian M. Diehl wrote:
> I have snort on a newly installed rh7.3 box, its been running for this weekend and i found some really intresting things in the alert log. I haven't been able to find info in the archives. They are sadly 2 win2k boxes running, and i'm seeing this betweent the two of them. 
>
>[**] ICMP L3retriever Ping [**]
>11/02-01:17:16.078236 xxx.xxx.217.53 -> 192.168.2.4
>ICMP TTL:28 TOS:0x0 ID:4402 IpLen:20 DgmLen:60
>Type:8  Code:0  ID:512   Seq:9278  ECHO
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>the .53 is an external address for one of my boxes, and obviously the 2.4 address is NAT'd for a box with no external addy and is a win2k PDC. I have a roughly 20 meg log file for this particar incident. Does anyone know what this is? Is this "normal" windows crap? the odd thing is i'm not seeing a reply from 2.4 to .53.... 
>
Yep, standard Windows stuff.  I get this all the time, Windows 2k
servers and DCs.  Look at http://www.whitehats.com/info/IDS311.

--
        Regards,
        Nick

        Nicholas Bachmann, SSCP
        Tech Department
        Davison Community Schools








-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: