Since Friday I have been seeing some different hits in SNORT. I am getting a lot of "ICMP Destination Unreachable (Communication Administratively Prohibited)" records. Now when I look at the Alerts page it shows Source address as a computer outside my network and the destination address as my web server. How if I look at the "Payload" (attached) it says my web server is the source address and I am trying to ping an external address (which I'm not). Now I googled this and didn't really find much, but there was some comments made about "Spoofing". My question, does this look like my web servers IP address is being spoofed and sending out ping sweeps?


Thanks