RE: Sid 466 (Semerjian, Ohanes)

[David Powell <dpowell () herbalife com>]

> Ohanes Semerjian wrote:
>
> Capture the traffic from and to that PC and check the type of the ICMP
> packet (as there are different types of ICMP) that should help you know
> what
> is actually going on.
>
> Best Regards
>
> Ohanes Semerjian

I've located one of many PC's that Snort is reporting this sid 466 on.  The
sensor is an internal one.  I'm getting hundreds of these alerts on sid 466
an hour.  Isolated this PC, ran NAI sniffer pro on this PC.  Ran a trace on
it and every few minitues it goes out to any of our DNS/NT domain
controllers and runs a ping w/payload that you see in sid 466.  I've
stripped everything off this PC that could remotely be considered a pest app
or virus and it still does the ping.  

Is this another one of those wonderful undocumented Microsoft "features"
that I've never seen?  


Dave Powell - Network Analyst
Infrastructure 310-258-7140
Herbalife IT Department




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users