darksky
November 28, 2022, 5:53pm
1
I recently installed snort3 and have been monitoring things. I have tons of entries like this mapping back to a Comcast streaming box. Might be a false positive ?
Mon Nov 28 12:37:38 2022 auth.info snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} 10.9.1.235 -> 0.0.0.15
...
Thinking a traffic rule to drop this traffic would be a good idea? What do more knowledgeable people think?
config rule
option name 'drop unusual ping'
list proto 'icmp'
option src 'guest'
option dest 'wan'
option target 'DROP'
list src_ip '10.9.1.235'
trendy
November 28, 2022, 7:59pm
2
0.0.0.0/8 is not routable, so it is not going anywhere. It might be an internal Comcast network though and you might break it if you block it.
darksky
November 28, 2022, 11:20pm
3
The block seems to have no effect on usage. Amazing the things you see with snort.
Mon Nov 28 17:53:18 2022 auth.info snort: [1:648:18] "INDICATOR-SHELLCODE x86 NOOP" [Classification: Executable code was detected] [Priority: 1] {TCP} 146.75.82.68:80 -> 10.9.1.219:64003
Some IP address in Sweden??
I thought snort also blocked traffic too?
darksky
November 29, 2022, 10:25am
5
Yes, both alert only and alert + block. Reading about it/testing as time allows and will update the wiki .
1 Like