[Snort-sigs] Suspected false positive description for sid 466
AJohnson at ...2586...
Fri Jun 25 06:53:04 EDT 2004
Just installed and set up snort & acid - thanks for the hard work you've put into it all. On some initial runs, I've noticed what I believe are false positives on the following rule:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
This event is generated when an ICMP echo request is made from a host running the L3 "Retriever 1.5" security scanner.
Ease of Attack:
More information about the Snort-sigs