[Snort-users] Weird alerts - false positive ?

Simon Attwell attwell at ...461...
Mon Nov 6 04:44:03 EST 2000


This is rather odd, I'm seeing ICMP DST Unreachables.... 

The alerts in most cases are sourced from my W2K host, and the destination
is a nameserver on my network, 21 and 53 are nameservers, 6 is the W2K box.

I'm not seeing any odd network traffic, since this is a rather small network
4 hosts behind ISDN w/ static IP.

Any ideas as to what would generate these ?
I cant think of any reason I should see ICMP unreachables.

Nov  5 23:48:43 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  5 23:49:21 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  6 00:13:10 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  6 00:13:10 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.21
Nov  6 00:13:32 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  6 00:36:42 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  6 01:24:13 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  6 01:58:16 snort[2510]: PING-ICMP Destination Unreachable: Y.Y.Y.145 -> X.X.89.6
Nov  6 01:58:26 last message repeated 2 times
Nov  6 01:59:51 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  6 01:59:52 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53
Nov  6 01:59:56 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.21
Nov  6 03:44:16 snort[2510]: PING-ICMP Destination Unreachable: X.X.89.6 -> X.X.0.53

	 - Simon

--
Simon Attwell
Systems Engineer
Berbee
5520 Research Park Drive
Madison, WI 53711
attwell at ...460...

Berbee... putting the E in business.



More information about the Snort-users mailing list