[Snort-users] MISC Large ICMP Packet

shawn . moyer shawn at ...1184...
Thu Apr 5 15:12:19 EDT 2001

Aaron McKinnon wrote:
> Getting lots of these:
> [**] MISC Large ICMP Packet [**]
> 04/04-10:08:22.879950 ->
> ICMP TTL:245 TOS:0x0 ID:14913 IpLen:20 DgmLen:1500 DF
> Type:8  Code:0  ID:39612   Seq:57072  ECHO
> This machine is a web server. As best I can tell from some research this is
> nothing to worry about. Does anyone see a reason why I shouldn't disable
> this rule?

I noticed this rule firing a lot as well -- rather than disable it I
increased the dsize: setting in the rule to larger than the legitimate
packets that were triggering the rule.



s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner

More information about the Snort-users mailing list