[Snort-users] Sid 466

Matt Kettler mkettler at ...4108...
Wed Apr 30 12:19:02 EDT 2003

At 10:22 AM 4/30/2003 -0700, David Powell wrote:
>I'm looking at my top 5 alerts in Acid Console.  Second on my list is sid
>466.  I investigated one of the PC's that is being reported as generating
>this alert.  I found nothing, and the user says he's not doing any ICMP to
>any devices. Plus if I do a ping it doesn't generate this sid 466.  I pretty
>sure this is a false positive.  Looking for suggestions as to whether I
>should go ahead and turn off the rule or leave it in?

 From what I read, win2k clients can under certain conditions generate ICMP 
echo requests that match this. However I don't believe it is the standard 
"ping" command that generates them.

Based on my experience it is probably their MTU path discovery feature.

I've seen several windows clients send pings containing a small bitmap 
graphic of the windows logo when they first connect to a server on a remote 
subnet. Could be that they changed the pattern. The bitmap graphic 
containing ping turned out to be a MTU discovery mechanism.

You might want to keep that rule on for a bit longer and investigate the 
pattern of when they come around. Is it always a client sending it to a 
fileserver in a separate subnet? Are they going to far corners of the 
world? to the network of one of your competitors?

After you've got some rough idea as to the when and why's then you can 
probably turn the rule off.

More information about the Snort-users mailing list