Snort mailing list archives
[Somewhat OT] - Why would a web server ping me?
From: "Bob McDowell" <bmcdowell () coxhealthplans com>
Date: Mon, 10 Mar 2003 16:58:52 -0600
I'm running down some of my most frequent 'hits' in my database, and one of the biggest log-hogs is a website that we visit (for business purposes). I get a ton of what I thought were false positives from spp_portscan2 complaining about portscans (something on the order of 20 ports) out of snort. Plus I get a lot of 443 and icmp type 8 directed at the proxy server that bounce off of the iptables firewall. If anyone can help shed some light on this, I'd be very grateful. I think I understand the portscan errors. My guess is that I have 20 or so users hitting the site at the same time, all from the same IP (the proxy server) and so snort interprets this as a scan. I can also guess at the 443. I'm assuming that the secure portion of the session is being initiated by the server, rather than the client, and is failing to match state. What's tying me up is the icmp. Why would a non-user ping me? Or, in other words, why would an automated process running on a web server ping one of its clients? Has anyone seen this before? Is this normal? Or is this site up to something nefarious? Thanks, Bob McDowell IS Specialist Cox HealthPlans, LLC 417.269.2848
Current thread:
- [Somewhat OT] - Why would a web server ping me? Bob McDowell (Mar 10)
- Re: [Somewhat OT] - Why would a web server ping me? Frank Knobbe (Mar 10)
- Re: [Somewhat OT] - Why would a web server ping me? Erek Adams (Mar 11)