[Snort-users] what are these?

Erik Fichtner emf at ...367...
Tue Oct 3 20:56:18 EDT 2000


On Tue, Oct 03, 2000 at 12:26:34PM -0700, Robert E. Leever wrote:
> You're seeing exactly what I'm seeing.  The alerts don't have any
> port in them either.   Does ICMP protocol use ports?  

No.

> Isn't this the same as 'ping'?  

Yes.  the rule is triggering traceroute because of it's ttl being 1, not 
because of the protocol (which is ICMP in this case.  an echo packet.)

> and doesn't ping happen at the link layer?

No.

> Which is why it looks so weird.  why would there necessarily be anything 
> at .255 to answer this - or does anything/everything on the subnet answer?

Probably some boneheaded microsoftism that is attempting to check for 
neighboring ip addresses by pinging the broadcast.

-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900



More information about the Snort-users mailing list