[Snort-users] MISC Large ICMP Packet

Aaron McKinnon aaron at ...1376...
Fri Apr 6 13:31:46 EDT 2001


Shawn,

That's a great idea! Would you be kind enough to copy that line and send it
to the group (or just me...)?

-----------------------------------
Aaron McKinnon
System Administrator
Fullerene Productions, Inc.
3250 Wilshire Blvd. Suite 2000
Los Angeles, CA 90010
213.365.1692
-----------------------------------

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of shawn .
moyer
Sent: Thursday, April 05, 2001 12:12 PM
To: Aaron McKinnon
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] MISC Large ICMP Packet


Aaron McKinnon wrote:
>
> Getting lots of these:
>
> [**] MISC Large ICMP Packet [**]
> 04/04-10:08:22.879950 208.223.170.122 -> 208.158.118.4
> ICMP TTL:245 TOS:0x0 ID:14913 IpLen:20 DgmLen:1500 DF
> Type:8  Code:0  ID:39612   Seq:57072  ECHO
>
> This machine is a web server. As best I can tell from some research this
is
> nothing to worry about. Does anyone see a reason why I shouldn't disable
> this rule?

I noticed this rule firing a lot as well -- rather than disable it I
increased the dsize: setting in the rule to larger than the legitimate
packets that were triggering the rule.



--shawn


--

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list