[Snort-users] Sid 466

Erick Mechler emechler at ...7719...
Wed Apr 30 12:32:09 EDT 2003


:: I'm looking at my top 5 alerts in Acid Console.  Second on my list is sid
:: 466.  I investigated one of the PC's that is being reported as generating
:: this alert.  I found nothing, and the user says he's not doing any ICMP to
:: any devices. Plus if I do a ping it doesn't generate this sid 466.  I pretty
:: sure this is a false positive.  Looking for suggestions as to whether I
:: should go ahead and turn off the rule or leave it in?

If you look at the the alert itself, you'll see that it's being triggered
by a remote system initiating an echo request to you.  A normal "ping"  
won't trigger this alert as normal pings don't have the required payload.

If you look at the reference for this alert,

  http://www.whitehats.com/info/IDS311

you'll see some more information which will indicate you're being scanned.  
If you don't want to know that you're getting scanned, go ahead and disable 
it.  However, if you're getting scanned a lot, which it sounds like you 
are, it might be good to investigate.

--Erick




More information about the Snort-users mailing list