[Snort-users] RE: Sid 466 (Semerjian, Ohanes)

David Powell dpowell at ...8963...
Fri May 2 11:56:58 EDT 2003


>Ohanes Semerjian wrote:
>
>Capture the traffic from and to that PC and check the type of the ICMP
>packet (as there are different types of ICMP) that should help you know
>what
>is actually going on.
>
>Best Regards
>
>Ohanes Semerjian

I've located one of many PC's that Snort is reporting this sid 466 on.  The
sensor is an internal one.  I'm getting hundreds of these alerts on sid 466
an hour.  Isolated this PC, ran NAI sniffer pro on this PC.  Ran a trace on
it and every few minitues it goes out to any of our DNS/NT domain
controllers and runs a ping w/payload that you see in sid 466.  I've
stripped everything off this PC that could remotely be considered a pest app
or virus and it still does the ping.  

Is this another one of those wonderful undocumented Microsoft "features"
that I've never seen?  


Dave Powell - Network Analyst
Infrastructure 310-258-7140
Herbalife IT Department






More information about the Snort-users mailing list