[Snort-users] what are these?
Robert E. Leever
bel1 at ...358...
Tue Oct 3 15:26:34 EDT 2000
You're seeing exactly what I'm seeing. The alerts don't have any
port in them either. Does ICMP protocol use ports? Isn't this the
same as 'ping'? and doesn't ping happen at the link layer?
Which is why it looks so weird. why would there necessarily be anything
at .255 to answer this - or does anything/everything on the subnet answer?
the rule triggering this is:
alert icmp any any -> $OSISUBNET.0/24 any (msg:"Traceroute"; TTL: 1;)
and I suppose I should change it to !$OSISUBNET.0/24 any -> $OSISUBNET
but I'd still like to know what's causing it.
----- Begin Included Message -----
More information about the Snort-users