Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sid 466

From: Erick Mechler <emechler () techometer net>
Date: Wed, 30 Apr 2003 12:31:30 -0700
:: I'm looking at my top 5 alerts in Acid Console.  Second on my list is sid
:: 466.  I investigated one of the PC's that is being reported as generating
:: this alert.  I found nothing, and the user says he's not doing any ICMP to
:: any devices. Plus if I do a ping it doesn't generate this sid 466.  I pretty
:: sure this is a false positive.  Looking for suggestions as to whether I
:: should go ahead and turn off the rule or leave it in?

If you look at the the alert itself, you'll see that it's being triggered
by a remote system initiating an echo request to you.  A normal "ping"  
won't trigger this alert as normal pings don't have the required payload.

If you look at the reference for this alert,

  http://www.whitehats.com/info/IDS311

you'll see some more information which will indicate you're being scanned.  
If you don't want to know that you're getting scanned, go ahead and disable 
it.  However, if you're getting scanned a lot, which it sounds like you 
are, it might be good to investigate.

--Erick


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: