[Snort-sigs] ICMP rules: sid 499,473, 477, 487

m@...1214... 27gb7uy02 at ...1212...
Fri May 9 06:01:05 EDT 2003


Hi there,
before disabling some ICMP rules I would like to see any comment about:

Alerts probably FP are generated by (slightly changes for better-looking):
1. alert icmp $EXTERNAL_NET any -> $HOME_NET any 
 (msg:"ICMP Large ICMP Packet"; dsize: >800; 
 reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;)
2. alert icmp $EXTERNAL_NET any -> $HOME_NET any 
 (msg:"ICMP redirect net";itype:5;icode:0; 
 reference:arachnids,199; reference:cve,CVE-1999-0265;
classtype:bad-unknown; sid:473; rev:1;) 
3. alert icmp $EXTERNAL_NET any -> $HOME_NET any 
 (msg:"ICMP Source Quench"; itype: 4; icode: 0; 
 classtype:bad-unknown; sid:477; rev:1;)
4. alert icmp any any -> any any 
 (msg:"ICMP Destination Unreachable (Communication with Destination Network
is Administratively Prohibited)"; itype: 3; icode: 9; 
 sid:487;  classtype:misc-activity; rev:2;)
 
Comments:
 
1. generated by icmp packets, many not sure 100%, with (the long) payload
containing digisle.com system monitoring reference
2. lot of alerts but from 2 ip addresses, not of my home network but of the
same internet-class C
3. i don't think this could be a probable attack, never?
 

Thank you for any advice.
 
Max
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030509/51a582a2/attachment.html>


More information about the Snort-sigs mailing list