[Snort-users] ISD171/ping zeros - One legit use

Sid s_i_d_j at ...131...
Thu May 31 23:45:24 EDT 2001

Same here. We are a data centre and have a couple of load balancing systems
hosted with us and they keep triggering this off. I also get dos-large-icmp
very frequently.


> FYI...
> One of our sites has been observing:
>   09:49:15 snort[2907]: IDS171/ping zeros: x.x.x.x -> y.y.y.y
> from snort. The content of these ping packets is essentially 1500 bytes
> of zeros (0's), and were arriving from five IP addresses assigned around
> the world.
> In researching the "source" of these packets, we received the following
> response from this well-known international company:
> "What you are seeing is a Wide area load balancing system trying to figure
> out which of our 3 data centers is closest to you.  Someone on your
> requested one of our websites, and our DNS/load balancing system tries
> probing your nameserver that the initial dns request came from, and
> instructs the other data centers to do the same to collect path metrics.
> Subsequent requests from your network result in being handed an IP for the
> closest/fastest data center.  http://www.f5.com has the relavent
> on how the system works.
> If you'd like to be put in an exclude list, we can stop the probes to your
> network.  It tries to be as quiet as possible, but is in no way malicious.
> It does tend to set off some IDS systems though."
> A search of multiple sites including snort.org and whitehats.org did not
> find any "negative" comments relative to IDS171, only one "could be an
> issue".
> Rich
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the Snort-users mailing list