[Snort-users] FYI - Possible cause for false positive - ICMP L3retriever Ping

Chris Green cmg at ...1935...
Thu Jun 13 05:19:01 EDT 2002


Michael Gargiullo <gargiullo at ...5068...> writes:

> FYI - One cause for false positives with :
>
> alert : ICMP L3retriever Ping
>
>>From inside an ipchains firewall on a win2k server.  I used M$ SQL
> Server Enterprise Manager to connect to an external SQL Server.

Could you reproduce the full connection handshake for us?  I would
like to see how this acts.

If you are concerned about sensitve information being sent to a public
mailing list, please send me pcap formatted dumps

Thanks,
-- 
Chris Green <cmg at ...1935...>
"I'm beginning to think that my router may be confused."




More information about the Snort-users mailing list