Security Incidents mailing list archives
Re: Source of Recent Distributed Pings
From: Joe Stewart <jstewart () LURHQ COM>
Date: Wed, 20 Dec 2000 12:42:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 20 December 2000 10:59, you wrote:
I know this is a little bit old now, but I have had this rule in my ruleset (custom based on the 09262k ruleset) for a week or so and it does not differentiate properly. I assume there must be some other product out there doing the same type of thing... perhaps somebody with some more snort knowledge would like to come up with a rule for this one? ;) Name: magic.cybercon.com Address: 64.37.65.194 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] PING *NIX Type [**] 12/20-10:53:28.400588 64.37.65.194 -> 63.87.101.XX ICMP TTL:55 TOS:0x0 ID:40914 ID:15885 Seq:56770 ECHO 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 ................ 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 ........ !"#$%&' 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ()*+,-./01234567 38 39 3A 3B 3C 3D 3E 3F 89:;<=>? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
It looks like Speedera may have tweaked their software to send out a smaller payload in the pings. In any case, just lose the "depth: 100;" part of the old sig and it should work fine: alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3a3b 3c3d 3e3f|"; itype: 8; ) - -Joe - -- Joe Stewart Information Security Analyst LURHQ Corporation jstewart () lurhq com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QO93kbW2pYIjPYgRAhAgAJ9IVi0Fg5DUR/AypAF3TK4TXZZ4EQCeL8VH bts+vuuMVqevAklRjkJYZUI= =HBE1 -----END PGP SIGNATURE-----
Current thread:
- Source of Recent Distributed Pings Joe Stewart (Dec 06)
- Re: Source of Recent Distributed Pings Ryan W. Maple (Dec 20)
- Re: Source of Recent Distributed Pings Joe Stewart (Dec 20)
- Re: Source of Recent Distributed Pings Ryan W. Maple (Dec 20)