[Snort-users] MISC Large ICMP Packet

Neil Dickey neil at ...1633...
Thu Apr 5 13:47:36 EDT 2001


"Aaron McKinnon" <aaron at ...1376...> wrote asking:

>Getting lots of these:
>
>[**] MISC Large ICMP Packet [**]
>04/04-10:08:22.879950 208.223.170.122 -> 208.158.118.4
>ICMP TTL:245 TOS:0x0 ID:14913 IpLen:20 DgmLen:1500 DF
>Type:8  Code:0  ID:39612   Seq:57072  ECHO
>
>This machine is a web server. As best I can tell from some research this is
>nothing to worry about. Does anyone see a reason why I shouldn't disable
>this rule?

Sometimes they're not so benign, and can be used in DOS attacks.  I get lots
of them as well, very commonly icmp-type 8 packets ( pings ) containing all
zeros.  I was tempted to disable the rule myself, but now I just look past
them.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list