[Snort-users] MISC Large ICMP Packet

Aaron McKinnon aaron at ...1376...
Thu Apr 5 14:03:14 EDT 2001


Thanks for the advice. I am just tempted to try out that automagic fire wall
that uses the snort logs. This would obviously throw a kink in the system.

-----------------------------------
Aaron McKinnon
System Administrator
Fullerene Productions, Inc.
3250 Wilshire Blvd. Suite 2000
Los Angeles, CA 90010
213.365.1692
-----------------------------------

-----Original Message-----
From: Neil Dickey [mailto:neil at ...1633...]
Sent: Thursday, April 05, 2001 10:48 AM
To: snort-users at lists.sourceforge.net
Cc: aaron at ...1376...
Subject: Re: [Snort-users] MISC Large ICMP Packet



"Aaron McKinnon" <aaron at ...1376...> wrote asking:

>Getting lots of these:
>
>[**] MISC Large ICMP Packet [**]
>04/04-10:08:22.879950 208.223.170.122 -> 208.158.118.4
>ICMP TTL:245 TOS:0x0 ID:14913 IpLen:20 DgmLen:1500 DF
>Type:8  Code:0  ID:39612   Seq:57072  ECHO
>
>This machine is a web server. As best I can tell from some research this is
>nothing to worry about. Does anyone see a reason why I shouldn't disable
>this rule?

Sometimes they're not so benign, and can be used in DOS attacks.  I get lots
of them as well, very commonly icmp-type 8 packets ( pings ) containing all
zeros.  I was tempted to disable the rule myself, but now I just look past
them.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115





More information about the Snort-users mailing list