On 0, Chris Connell <chris.connell@issolutions.co.uk> allegedly wrote:
Hello Snort users,
I think I have found a false positive with the following rule
1:469
ICMP PING NMAP
This is constantly triggered from our Alteon AD4 load balancer sending
ICMP pings to our Cisco router's HSRP address which is its default
gateway which it is pinging as part of its failover mechanism.
Here are the packet contents from ethereal as you can see there is no
data in the ICMP header - other pings seem to have data in them.
In the false positive section for the rule it states:
"The only current identifying feature of nmap's ICMP ping is
that the data size is 0. It is entirely possible that other tools may
send icmp pings with zero data."
It would seem that your Alteon AD4 is one of those tools. Having said that,
if your AD4 and your router are both in your home net and your $HOME_NET
and $EXTERNAL_NET variables are set correctly, this rule should not
generate an event.
Chris Connell
Senior Network Analyst
SCSA SCNA CCNA
IS Solutions Plc
Tel: 01932 893333
Fax: 01932 893433
http://www.issolutions.co.uk <http://www.issolutions.co.uk/>
+-----------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
Cat: "Forget red - let's go all the way up to brown alert!"
Kryten: "There's no such thing as a brown alert sir."
Cat: "You won't be saying that in a minute!"
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
