[Snort-users] what are these?
emf at ...367...
Tue Oct 3 20:56:18 EDT 2000
On Tue, Oct 03, 2000 at 12:26:34PM -0700, Robert E. Leever wrote:
> You're seeing exactly what I'm seeing. The alerts don't have any
> port in them either. Does ICMP protocol use ports?
> Isn't this the same as 'ping'?
Yes. the rule is triggering traceroute because of it's ttl being 1, not
because of the protocol (which is ICMP in this case. an echo packet.)
> and doesn't ping happen at the link layer?
> Which is why it looks so weird. why would there necessarily be anything
> at .255 to answer this - or does anything/everything on the subnet answer?
Probably some boneheaded microsoftism that is attempting to check for
neighboring ip addresses by pinging the broadcast.
Security Administrator, ServerVault, Inc.
More information about the Snort-users