[Snort-users] Rule 486 Why is this server initiating ICMP traffic?

James R. Marcus jmarcus at ...14853...
Tue May 11 17:01:24 EDT 2010


Yes it does, thanks
On May 11, 2010, at 4:38 PM, JJ Cummings wrote:

If you follow the logic of the event.. this is a RESPONSE from 10.10.100.21 to 134.173.121.59 saying "Destination Unreachable Communication with Destination Host is Administratively Prohibited"... so the originator of the ICMP request is actually 134.173.121.59.  Make sense?

JJC

On Tue, May 11, 2010 at 2:31 PM, James R. Marcus <jmarcus at ...14853...<mailto:jmarcus at ...14853...>> wrote:
Hi,
I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the tuning stage.

I have a web server in the PCI environment that has been initiating ICMP traffic to external IPs. Here is the alert:

[1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.10.100.21 -> 134.173.121.59

I have read the summary of the rule at http://www.snort.org/search/sid/486?r=1 and understand that "no corrective action is necessary" but am curious about this traffic.

Originally I thought that Tomcat could be generating ICMP traffic, but was told on the Tomcat list that Java doesn't do that. I see that the destination IP did access this web server, to register an account.

Any thoughts on this?

Thanks,
James
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users








:: James R. Marcus | Director, IT Operations
:: Edhance | jmarcus at ...14853...<x-msg://103/jmarcus@...14853...>
:: v: 617-475-5360 | m: 914-772-8533
:: web: www.edhance.com<http://www.edhance.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100511/769aef7f/attachment.html>


More information about the Snort-users mailing list