[Snort-sigs] MISC Large ICMP Packet

Hugo van der Kooij hvdkooij at ...481...
Sat Apr 13 15:57:04 EDT 2002


Hi,

I seem to get these warnings on some DNS servers when I try to query for a 
reverse DNS entry. (Or rather my DNS server sends out the query on behalf 
of my fwlogwatch script.)

Apr 13 23:14:46 vigor snort[15654]: [1:499:1] MISC Large ICMP Packet 
[Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} 
212.162.215.10 -> 213.84.18.35

This seems to be a false positive that I can't explain based on the 
signature.

So far I found only 2 servers with this odd habit.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.





More information about the Snort-sigs mailing list