Snort mailing list archives
Re: Rule 486 Why is this server initiating ICMP traffic?
From: JJ Cummings <cummingsj () gmail com>
Date: Tue, 11 May 2010 14:38:49 -0600
If you follow the logic of the event.. this is a RESPONSE from 10.10.100.21 to 134.173.121.59 saying "Destination Unreachable Communication with Destination Host is Administratively Prohibited"... so the originator of the ICMP request is actually 134.173.121.59. Make sense? JJC On Tue, May 11, 2010 at 2:31 PM, James R. Marcus <jmarcus () edhance com>wrote:
Hi,
I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the
tuning stage.
I have a web server in the PCI environment that has been initiating ICMP
traffic to external IPs. Here is the alert:
[1:486:5] ICMP Destination Unreachable Communication with Destination Host
is Administratively Prohibited [**] [Classification: Misc activity]
[Priority: 3] {ICMP} 10.10.100.21 -> 134.173.121.59
I have read the summary of the rule at
http://www.snort.org/search/sid/486?r=1 and understand that "no corrective
action is necessary" but am curious about this traffic.
Originally I thought that Tomcat could be generating ICMP traffic, but was
told on the Tomcat list that Java doesn't do that. I see that the
destination IP did access this web server, to register an account.
Any thoughts on this?
Thanks,
James
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? James R. Marcus (May 11)
- Re: Rule 486 Why is this server initiating ICMP traffic? JJ Cummings (May 11)