Re: Source of Recent Distributed Pings

[Joe Stewart <jstewart () LURHQ COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 20 December 2000 10:59, you wrote:
> I know this is a little bit old now, but I have had this rule in my
> ruleset (custom based on the 09262k ruleset) for a week or so and it does
> not differentiate properly.  I assume there must be some other product out
> there doing the same type of thing... perhaps somebody with some more
> snort knowledge would like to come up with a rule for this one? ;)
>
> Name:    magic.cybercon.com
> Address:  64.37.65.194
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> [**] PING *NIX Type [**]
> 12/20-10:53:28.400588 64.37.65.194 -> 63.87.101.XX
> ICMP TTL:55 TOS:0x0 ID:40914
> ID:15885   Seq:56770  ECHO
> 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
> 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
> 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
> 38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

It looks like Speedera may have tweaked their software to send out a smaller
payload in the pings. In any case, just lose the "depth: 100;" part of the
old sig and it should work fine:

alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3a3b 3c3d
3e3f|"; itype: 8; )

- -Joe

- --
Joe Stewart
Information Security Analyst
LURHQ Corporation
jstewart () lurhq com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6QO93kbW2pYIjPYgRAhAgAJ9IVi0Fg5DUR/AypAF3TK4TXZZ4EQCeL8VH
bts+vuuMVqevAklRjkJYZUI=
=HBE1
-----END PGP SIGNATURE-----