Assistance and advice request

[Kirklin Spencer <kspencer () WHITFIELD PUBLIC LIB GA US>]

I'm a beginner and looking for pointers.

Three days ago I installed SNORT on one of my network computers and started
it running.  I've got two interesting situations developing and am looking
for recommendations on tools and actions.  Oh, yes, I'm running NT4 SP6a,
and I've a couple of Red Hat Linux boxes I could hook up as well.

Situation one.  Very Large ICMP packet.
The vendor who provides the primary software for our company has a website.
Two to four times a day between 9 am and 9 pm each day three (originally
two) of my computers receive an ICMP packet consisting of 1462 consecutive
00s.  The origin of these packets is the company's web server.  The
computers receiving this packet are the computers from which I have gone
through the website's login screen to the customer support pages on the same
server.  Approximately 30 hours ago I notified the company and sent them a
copy of the log.  When they suggested it might be spoofed, I logged onto the
website with the third workstation.  20 minutes received a packet.  No other
computers on my network are being sent these packets.

Is there a legitimate reason I might be getting packets of this sort?  And
what tools and actions should I be using/doing?

Situation two.  Slow Scan.

Over the past two days I've been receiving a series of pings from an IP
address directed at my server.  Looking at the data it appears that it is a
port scan as snort reports the identifier as Destination unreachable:Port
unreachable.  I tried nslookup and whois on the ip and get nothing.  At this
time it's not an attack, but the fact that it's lasted two days and that the
intervals reported by snort are between half a second and one hour lead me
to suspect that it is a probe.  Again, what tools might I use and how should
I be using them (and who should I be telling)?

Thanks,

Kirk Spencer