Snort mailing list archives
RE: Sid 466 (Semerjian, Ohanes)
From: David Powell <dpowell () herbalife com>
Date: Fri, 2 May 2003 11:52:10 -0700
Ohanes Semerjian wrote: Capture the traffic from and to that PC and check the type of the ICMP packet (as there are different types of ICMP) that should help you know what is actually going on. Best Regards Ohanes Semerjian
I've located one of many PC's that Snort is reporting this sid 466 on. The sensor is an internal one. I'm getting hundreds of these alerts on sid 466 an hour. Isolated this PC, ran NAI sniffer pro on this PC. Ran a trace on it and every few minitues it goes out to any of our DNS/NT domain controllers and runs a ping w/payload that you see in sid 466. I've stripped everything off this PC that could remotely be considered a pest app or virus and it still does the ping. Is this another one of those wonderful undocumented Microsoft "features" that I've never seen? Dave Powell - Network Analyst Infrastructure 310-258-7140 Herbalife IT Department ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Sid 466 (Semerjian, Ohanes) David Powell (May 02)