Unusual PING detected by snort... firewall rule to block?

I recently installed snort3 and have been monitoring things. I have tons of entries like this mapping back to a Comcast streaming box. Might be a false positive?

Mon Nov 28 12:37:38 2022 auth.info snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} ->

Thinking a traffic rule to drop this traffic would be a good idea? What do more knowledgeable people think?

config rule
  option name 'drop unusual ping'
  list proto 'icmp'
  option src 'guest'
  option dest 'wan'
  option target 'DROP'
  list src_ip '' is not routable, so it is not going anywhere. It might be an internal Comcast network though and you might break it if you block it.

The block seems to have no effect on usage. Amazing the things you see with snort.

Mon Nov 28 17:53:18 2022 auth.info snort: [1:648:18] "INDICATOR-SHELLCODE x86 NOOP" [Classification: Executable code was detected] [Priority: 1] {TCP} ->

Some IP address in Sweden??

I thought snort also blocked traffic too?

Yes, both alert only and alert + block. Reading about it/testing as time allows and will update the wiki.

1 Like