[Snort-users] MISC Large ICMP Packet

roel at ...47... roel at ...47...
Thu Apr 5 18:44:13 EDT 2001


I've seen similar things, I suspect that these are probes from a couple of 
possible places:
- content distribution networks (akamai and the like)
- caching networks (squid)
- ad networks (doubleclick and the like)

Most of the time when I saw these the source address turned out to be part of
the address space of one of the above.

However I noticed the source address on this on was part of a netblock owned
by the brearley school in new york. So it's sort of suspicious....

-- 
roel
Silicon Defense: Technical Support for Snort!
http://www.SiliconDefense.com







More information about the Snort-users mailing list