[Snort-users] ICMP issues in VPN

dogbert at ...11664... dogbert at ...11664...
Fri Jul 23 09:22:10 EDT 2004


Hi all,

  Ok, now that I'm not going paranoid, here is the real question I am having.

We used to connect two locations over a dedicated T-1, and now we do it via
a VPN between cisco gear (no problem, everything works just fine).  However,
I have started seeing some traffic issues related to the following types of
packets:

%    # packets   priority     type
75.1     999       low        ICMP Large ICMP Packet 
17.7     235       low        ICMP L3retriever Ping 
5.0       66       low        ICMP PING NMAP 

This is from the snort-rep 1.10 system, btw.

I would think that this is a false type positive, as these machines in
question (MS SQL, Domain Controllers, Root Servers, and the IP addresses
correspond to the IP addrs of these machines.  How does one normally deal
with a situation like this (i.e. - disregard ICMP for both networks which
are 172.21.x.x and 10.1.1.x), etc?

Any ideas would be helpful here :)

Bill Parker

p.s. - Does the snort mailing list deal well with HTML stuff, due to the
fact that I sent an email from my home system (outlook express) and it got real 
sick (got a reply back from da mailing list, even)?






More information about the Snort-users mailing list