[Snort-users] what are these?

Robert E. Leever bel1 at ...358...
Tue Oct 3 15:26:34 EDT 2000


Hi James

You're seeing exactly what I'm seeing.  The alerts don't have any
port in them either.   Does ICMP protocol use ports?  Isn't this the
same as 'ping'?  and doesn't ping happen at the link layer?
Which is why it looks so weird.  why would there necessarily be anything 
at .255 to answer this - or does anything/everything on the subnet answer?

the rule triggering this is:
alert icmp any any -> $OSISUBNET.0/24 any (msg:"Traceroute"; TTL: 1;)
 
and I suppose I should change it to !$OSISUBNET.0/24 any -> $OSISUBNET 

but I'd still like to know what's causing it.

thanks

b;)

----- Begin Included Message -----



More information about the Snort-users mailing list