[Snort-users] large, empty ICMP?

Ofir Arkin ofir at ...949...
Wed Jan 31 12:29:59 EST 2001


1500 bytes a datagram?
This is part of a PMTU discovery process an HPUX 10.3x, 11.x / AIX 4.3x is
doing against your machine after you have communicated with a machine
carrying on of those OSs.

Go back in this list history we discussed this in the past.
Hope this help.

Ofir Arkin
ofir at ...949...
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Robert L.
Yelvington
Sent: Tuesday, January 30, 2001 8:45 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] large, empty ICMP?


I am running RH 6.2 w/snort 1.6.3, perhaps with an old rule set...but, I
just recently noticed these in my logs:

01/19-16:50:11.755231 OTHERHOST -> MYHOST
ICMP TTL:243 TOS:0x0 ID:48088  DF
ID:0   Seq:0  ECHO
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
...etc, etc.


Does this mean that my rules may have broken something?  OR is something
broken?

I read recently that snort 1.7 is still having some issues on RH.

Has anyone had any problems running 1.6.3 w/snortfull.conf?

Would appreciate some "light" on this.

Thanks!!

-robt

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users





More information about the Snort-users mailing list