[Snort-users] Rule 486 Why is this server initiating ICMP traffic?

JJ Cummings cummingsj at ...11827...
Tue May 11 16:38:49 EDT 2010

If you follow the logic of the event.. this is a RESPONSE from
to saying "Destination Unreachable Communication with
Destination Host is Administratively Prohibited"... so the originator of the
ICMP request is actually  Make sense?


On Tue, May 11, 2010 at 2:31 PM, James R. Marcus <jmarcus at ...14853...>wrote:

> Hi,
> I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the
> tuning stage.
> I have a web server in the PCI environment that has been initiating ICMP
> traffic to external IPs. Here is the alert:
> [1:486:5] ICMP Destination Unreachable Communication with Destination Host
> is Administratively Prohibited [**] [Classification: Misc activity]
> [Priority: 3] {ICMP} ->
> I have read the summary of the rule at
> http://www.snort.org/search/sid/486?r=1 and understand that "no corrective
> action is necessary" but am curious about this traffic.
> Originally I thought that Tomcat could be generating ICMP traffic, but was
> told on the Tomcat list that Java doesn't do that. I see that the
> destination IP did access this web server, to register an account.
> Any thoughts on this?
> Thanks,
> James
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100511/48cfaa22/attachment.html>

More information about the Snort-users mailing list