[Snort-users] Sid 466
mkettler at ...4108...
Wed Apr 30 12:19:02 EDT 2003
At 10:22 AM 4/30/2003 -0700, David Powell wrote:
>I'm looking at my top 5 alerts in Acid Console. Second on my list is sid
>466. I investigated one of the PC's that is being reported as generating
>this alert. I found nothing, and the user says he's not doing any ICMP to
>any devices. Plus if I do a ping it doesn't generate this sid 466. I pretty
>sure this is a false positive. Looking for suggestions as to whether I
>should go ahead and turn off the rule or leave it in?
From what I read, win2k clients can under certain conditions generate ICMP
echo requests that match this. However I don't believe it is the standard
"ping" command that generates them.
Based on my experience it is probably their MTU path discovery feature.
I've seen several windows clients send pings containing a small bitmap
graphic of the windows logo when they first connect to a server on a remote
subnet. Could be that they changed the pattern. The bitmap graphic
containing ping turned out to be a MTU discovery mechanism.
You might want to keep that rule on for a bit longer and investigate the
pattern of when they come around. Is it always a client sending it to a
fileserver in a separate subnet? Are they going to far corners of the
world? to the network of one of your competitors?
After you've got some rough idea as to the when and why's then you can
probably turn the rule off.
More information about the Snort-users