[Snort-users] MISC Large ICMP Packet

shawn . moyer shawn at ...1184...
Thu Apr 5 15:12:19 EDT 2001


Aaron McKinnon wrote:
> 
> Getting lots of these:
> 
> [**] MISC Large ICMP Packet [**]
> 04/04-10:08:22.879950 208.223.170.122 -> 208.158.118.4
> ICMP TTL:245 TOS:0x0 ID:14913 IpLen:20 DgmLen:1500 DF
> Type:8  Code:0  ID:39612   Seq:57072  ECHO
> 
> This machine is a web server. As best I can tell from some research this is
> nothing to worry about. Does anyone see a reason why I shouldn't disable
> this rule?

I noticed this rule firing a lot as well -- rather than disable it I
increased the dsize: setting in the rule to larger than the legitimate
packets that were triggering the rule.



--shawn


-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner




More information about the Snort-users mailing list