[Snort-users] L3 retriever false positive for windows ping?

Greetings gang!

Apologies for the apparently horribly obvious question, but I'm not yet
great at reading hex, and don't have the ability to deny this claim.

I'm seeing an increase in snort alerts for the "L3 retriever ping" with this
payload (I'm not concerned about src and dst not being obfuscated here):

Payload
length = 32

000 : 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 ABCDEFGHIJKLMNOP
010 : 51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49 QRSTUVWABCDEFGHI



that is all....

To me, this is clearly a sig for L3, but the windows admins are doing ping
tests and dumps, and I look at the packet, and indeed, it also has that
string...but not just that string...

the windows payload has punctuation marks, then the alphabet string
follows....aren't the two different?

Or more clearly----is there anyway the packet above could be a normal,
default windows ping?


Kind Regards,

and thanks for any insight----


Corey

__________________________________________________ _______________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE
download! http://toolbar.msn.click-url.com/go/...ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users