[Snort-users] Rule 486 Why is this server initiating ICMP traffic?

JJ Cummings cummingsj at ...11827...
Tue May 11 16:38:49 EDT 2010


If you follow the logic of the event.. this is a RESPONSE from 10.10.100.21
to 134.173.121.59 saying "Destination Unreachable Communication with
Destination Host is Administratively Prohibited"... so the originator of the
ICMP request is actually 134.173.121.59.  Make sense?

JJC

On Tue, May 11, 2010 at 2:31 PM, James R. Marcus <jmarcus at ...14853...>wrote:

> Hi,
> I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the
> tuning stage.
>
> I have a web server in the PCI environment that has been initiating ICMP
> traffic to external IPs. Here is the alert:
>
> [1:486:5] ICMP Destination Unreachable Communication with Destination Host
> is Administratively Prohibited [**] [Classification: Misc activity]
> [Priority: 3] {ICMP} 10.10.100.21 -> 134.173.121.59
>
> I have read the summary of the rule at
> http://www.snort.org/search/sid/486?r=1 and understand that "no corrective
> action is necessary" but am curious about this traffic.
>
> Originally I thought that Tomcat could be generating ICMP traffic, but was
> told on the Tomcat list that Java doesn't do that. I see that the
> destination IP did access this web server, to register an account.
>
> Any thoughts on this?
>
> Thanks,
> James
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100511/48cfaa22/attachment.html>


More information about the Snort-users mailing list