[Somewhat OT] - Why would a web server ping me?

["Bob McDowell" <bmcdowell () coxhealthplans com>]

I'm running down some of my most frequent 'hits' in my database, and one of
the biggest log-hogs is a website that we visit (for business purposes).  I
get a ton of what I thought were false positives from spp_portscan2
complaining about portscans (something on the order of 20 ports) out of
snort.  Plus I get a lot of 443 and icmp type 8 directed at the proxy server
that bounce off of the iptables firewall.  If anyone can help shed some
light on this, I'd be very grateful.

I think I understand the portscan errors.  My guess is that I have 20 or so
users hitting the site at the same time, all from the same IP (the proxy
server) and so snort interprets this as a scan.

I can also guess at the 443.  I'm assuming that the secure portion of the
session is being initiated by the server, rather than the client, and is
failing to match state.

What's tying me up is the icmp.  Why would a non-user ping me?  Or, in other
words, why would an automated process running on a web server ping one of
its clients?

Has anyone seen this before?  Is this normal?

Or is this site up to something nefarious?


Thanks,

Bob McDowell
IS Specialist
Cox HealthPlans, LLC
417.269.2848