Re: snort detecting ICMP traffic, tomcat?
On Tue, May 11, 2010 at 09:33:36AM -0500, Caldarale, Charles R wrote:
> > From: James R. Marcus [mailto:jmar...@edhance.com]
> > Subject: snort detecting ICMP traffic, tomcat?
> >
> > Could Tomcat be generating ICMP traffic to an IP accessing the server?
>
> No. Java is not capable of generating ICMP messages.
That's not what ICMP Unreachable means. It's a response from the
target host to a connection attempt by the requesting host which could
or should not be accepted. It should be sent by the host's network
stack, not anything in userspace, but it can be triggered by any
program which requests a connection that is refused. Java certainly
can evoke one of these, even if it can't send them.
In this case (Host Administratively Prohibited), 121d59.pitzer.edu is
saying, "I refuse to talk to you on any port." I have no idea what is
requesting a connection to that host, or why. It sounds like
someone's workstation ("121d59") is configured to refuse traffic from
internal-only (10/8) addresses.
It might be helpful to start up a packet monitor and sample the
attempts, to see what port(s) are being requested.
I find it interesting that there are two PTR records in DNS for that
address, and the other one is to "jk-dc96425b8e." That's not the sort
of name you expect from DNS. You might want to report that to someone
at Pitzer College. A 'whois' query for pitzer.edu returns nothing, too.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Balance your desire for bells and whistles with the reality that only a
little more than 2 percent of world population has broadband.
-- Ledford and Tyler, _Google Analytics 2.0_
pgpEM2NlwfWjQ.pgp
Description: PGP signature
Re: snort detecting ICMP traffic, tomcat?
On 11/05/2010 15:17, James R. Marcus wrote:
> Hi,
> I run Snort in a PCI environment. I have just rebuilt Snort and I’m in the
> tuning stage.
>
> I have Tomcat 6.0.18 in the PCI environment and it may be initiating ICMP
> traffic to external IPs. Here is the alert:
>
> [1:486:5] ICMP Destination Unreachable Communication with Destination Host is
> Administratively Prohibited [**] [Classification: Misc activity] [Priority:
> 3] {ICMP} 10.10.100.21 -> 134.173.121.59
>
> I have read the summary of the rule at
> http://www.snort.org/search/sid/486?r=1 and understand that "no corrective
> action is necessary" but am curious about this traffic.
>
> Could Tomcat be generating ICMP traffic to an IP accessing the server?
>
> Is this some kind of keep alive?
Please start a new message next time, rather than replying to & editing
an existing message. (Which is called thread hijacking).
p
> Thanks,
> James
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
signature.asc
Description: OpenPGP digital signature
RE: snort detecting ICMP traffic, tomcat?
> From: James R. Marcus [mailto:jmar...@edhance.com] > Subject: snort detecting ICMP traffic, tomcat? > > Could Tomcat be generating ICMP traffic to an IP accessing the server? No. Java is not capable of generating ICMP messages. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
