Snort mailing list archives
Re: Sid 466
From: Erick Mechler <emechler () techometer net>
Date: Wed, 30 Apr 2003 12:31:30 -0700
:: I'm looking at my top 5 alerts in Acid Console. Second on my list is sid :: 466. I investigated one of the PC's that is being reported as generating :: this alert. I found nothing, and the user says he's not doing any ICMP to :: any devices. Plus if I do a ping it doesn't generate this sid 466. I pretty :: sure this is a false positive. Looking for suggestions as to whether I :: should go ahead and turn off the rule or leave it in? If you look at the the alert itself, you'll see that it's being triggered by a remote system initiating an echo request to you. A normal "ping" won't trigger this alert as normal pings don't have the required payload. If you look at the reference for this alert, http://www.whitehats.com/info/IDS311 you'll see some more information which will indicate you're being scanned. If you don't want to know that you're getting scanned, go ahead and disable it. However, if you're getting scanned a lot, which it sounds like you are, it might be good to investigate. --Erick ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sid 466 David Powell (Apr 30)
- Re: Sid 466 Matt Kettler (Apr 30)
- Re: Sid 466 Erick Mechler (Apr 30)
- <Possible follow-ups>
- RE: Sid 466 Semerjian, Ohanes (May 01)