[Snort-users] Rule 486 Why is this server initiating ICMP traffic?

James R. Marcus jmarcus at ...14853...
Tue May 11 16:31:14 EDT 2010


Hi,
I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the tuning stage.

I have a web server in the PCI environment that has been initiating ICMP traffic to external IPs. Here is the alert:

[1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.10.100.21 -> 134.173.121.59

I have read the summary of the rule at http://www.snort.org/search/sid/486?r=1 and understand that "no corrective action is necessary" but am curious about this traffic.

Originally I thought that Tomcat could be generating ICMP traffic, but was told on the Tomcat list that Java doesn't do that. I see that the destination IP did access this web server, to register an account.

Any thoughts on this?  

Thanks,
James



More information about the Snort-users mailing list