[Snort-users] false alarm or not ?

Liuhy solar_liu at ...8882...
Tue Apr 29 02:04:07 EDT 2003

Hello everyone,

    I encountered a strange question. I will describe as following: 
    I have two computers, snort2.0 is installed on linux, which is configured as my firewall. The other computer installs Windows XP Pro. Now I have run snort on the firewall. I found that snort alerted as following every 6 minutes:

    [**] [1:466:1] ICMP L3retriever Ping [**]
    [Classification: Attempted Information Leak] [Priority: 2] 
    04/29-16:53:50.313874 ->
    ICMP TTL:32 TOS:0x0 ID:42625 IpLen:20 DgmLen:60
    Type:8  Code:0  ID:512   Seq:29440  ECHO
    [Xref => http://www.whitehats.com/info/IDS311]

    [**] [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [**]
    [Classification: Detection of a Denial of Service Attack] [Priority: 2] 
    04/29-16:53:54.836918 ->
    TCP TTL:128 TOS:0x0 ID:42635 IpLen:20 DgmLen:162 DF
    ***AP*** Seq: 0xA7872F3A  Ack: 0x54CB2BFA  Win: 0xF775  TcpLen: 20
    [Xref => http://www.corest.com/common/showdoc.php?idx=262] 
    [Xref=>http://www.microsoft.com/technet/security/bulletin/MS02-045.asp][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?

    I wondered if my computer is infected by viruses, or the packet that Windows system sent is normal, and snort false alarm. If it's the later, how can I deal with it?

Thanks in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030429/398522ad/attachment.html>

More information about the Snort-users mailing list