[Snort-users] ICMP from many hosts.

Max Vision vision at ...4...
Thu Oct 12 20:24:37 EDT 2000


At 03:02 PM 10/12/2000 -0400, Robert Buckley wrote:
>Instead of spamming snort-users list Ill post the output from a
>visit http://24.191.42.95/snort/snortlog-10-10-1024
>The log will be there for 24 hours,

Hi,

I sent a more detailed response earlier directly to Robert.  Basically this 
was just a plain traceroute, initiated from his computer, absolutely 
textbook normal.

He had been using several mislabeled snort rules (not from arachNIDS) which 
could definitely give a user the wrong idea about what traffic he is 
seeing.  Note that both "PING-ICMP Time Exceeded" and "PING-ICMP 
Destination Unreachable" are not "pings".

Max




More information about the Snort-users mailing list