[Snort-sigs] Suspected false positive description for sid 466

Adam Johnson AJohnson at ...2586...
Fri Jun 25 06:53:04 EDT 2004


Just installed and set up snort & acid - thanks for the hard work you've put into it all.  On some initial runs, I've noticed what I believe are false positives on the following rule:

Rule:  
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
--
Sid:
466
--
Summary:
 This event is generated when an ICMP echo request is made from a host running the L3 "Retriever 1.5" security scanner.
--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:


More information about the Snort-sigs mailing list