Snort mailing list archives
Re: ICMP PING Windows
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Tue, 20 Nov 2001 22:37:38 +1100
RAMALINGA Reddy wrote: Hi Rali,
We are using snort on a linux box. There is one machine A which is trying an "ICMP PING Windows" on machine B. The number of times it attempted such a ping was 2450 in a span of 24 hours. The snort rule corresponding to this is checking for the following string in the content. content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|" I suspect it to be a virus attack. Can anyone help ?
Doesn't appear to be anything unusual at first glance. The 61, 62, 63 correspond to hex a, b, c (do a "man ascii" on your Linux box to see a chart of hex values and their associated ascii representations). You really need more detail like the icmp_id, icmp_seq, perhaps the packet size, etc etc to draw a more accurate picture. I forget how the Snort rules are ordered but i'm sure most serious ICMP abnormalities are reported on before being passed to the lower rules to try and analyze the characteristics of the payload to identify the source host type. Could it simply be someone who forgot a continuous 'ping -t' running over the course of a day? If it becomes too annoying you can either drop the pings at your network border(s), or use Snort's various features to ignore the pings and keep them from filling up your alert logs, databases, etc. Regards, Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP PING Windows RAMALINGA Reddy (Nov 20)
- Re: ICMP PING Windows Chris Keladis (Nov 20)