[Snort-users] Rule 486 Why is this server initiating ICMP traffic?

James R. Marcus jmarcus at ...14853...
Tue May 11 17:01:24 EDT 2010

Yes it does, thanks
On May 11, 2010, at 4:38 PM, JJ Cummings wrote:

If you follow the logic of the event.. this is a RESPONSE from to saying "Destination Unreachable Communication with Destination Host is Administratively Prohibited"... so the originator of the ICMP request is actually  Make sense?


On Tue, May 11, 2010 at 2:31 PM, James R. Marcus <jmarcus at ...14853...<mailto:jmarcus at ...14853...>> wrote:
I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the tuning stage.

I have a web server in the PCI environment that has been initiating ICMP traffic to external IPs. Here is the alert:

[1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} ->

I have read the summary of the rule at http://www.snort.org/search/sid/486?r=1 and understand that "no corrective action is necessary" but am curious about this traffic.

Originally I thought that Tomcat could be generating ICMP traffic, but was told on the Tomcat list that Java doesn't do that. I see that the destination IP did access this web server, to register an account.

Any thoughts on this?


Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

:: James R. Marcus | Director, IT Operations
:: Edhance | jmarcus at ...14853...<x-msg://103/jmarcus@...14853...>
:: v: 617-475-5360 | m: 914-772-8533
:: web: www.edhance.com<http://www.edhance.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100511/769aef7f/attachment.html>

More information about the Snort-users mailing list