[Snort-users] MISC Large ICMP Packet

Aaron McKinnon aaron at ...1376...
Fri Apr 6 13:31:46 EDT 2001


That's a great idea! Would you be kind enough to copy that line and send it
to the group (or just me...)?

Aaron McKinnon
System Administrator
Fullerene Productions, Inc.
3250 Wilshire Blvd. Suite 2000
Los Angeles, CA 90010

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of shawn .
Sent: Thursday, April 05, 2001 12:12 PM
To: Aaron McKinnon
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] MISC Large ICMP Packet

Aaron McKinnon wrote:
> Getting lots of these:
> [**] MISC Large ICMP Packet [**]
> 04/04-10:08:22.879950 ->
> ICMP TTL:245 TOS:0x0 ID:14913 IpLen:20 DgmLen:1500 DF
> Type:8  Code:0  ID:39612   Seq:57072  ECHO
> This machine is a web server. As best I can tell from some research this
> nothing to worry about. Does anyone see a reason why I shouldn't disable
> this rule?

I noticed this rule firing a lot as well -- rather than disable it I
increased the dsize: setting in the rule to larger than the legitimate
packets that were triggering the rule.



s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list