Snort mailing list archives
RE: question ? -> (MISC Large ICMP Packet)
From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 31 Dec 2001 00:46:23 -0000
Well, I can answer for the first part [the /var/log/snort/alert ICMP entry]. NMAP starts ANY scan by sending an ICMP echo request without any payload to the target. No “legal” ICMP echo request is being sent without a payload this is the reason you see the entry in /var/log/snort/alert for suspicious activity. For the SYN stealth scan you produced with NMAP: When you produce a SYN stealth scan with NMAP, it sends a SYN request to a targeted port (your case TCP 5000). Than NMAP sends a SYN request to the port. If the port is closed you will receive a RST back. If not you will receive a SYN/ACK and NMAP will respond with a RST to tear down the connection. Hope this helps Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of cdowns Sent: א 30 דצמבר 2001 18:08 To: snort-users () lists sourceforge net Subject: [Snort-users] question ? -> (MISC Large ICMP Packet) Morning All, Out of curiosity I decided to check my network for port 5000 tcp. Just for the hell of it and to see how Snort will react to someone snooping for the new Xsploit.c tcp 5000 windows ME/XP remote DOS/Shell. here I used a really basic NMAP Stealth Syn scan and here is the reply in the /var/log/snort/alert: Scan: blasphemy# nmap -sS -p 5000 64.28.89.32/27 Logged: [**] [1:499:1] MISC Large ICMP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] 12/30-12:56:06.091068 24.128.143.28 -> 64.28.89.63 ICMP TTL:17 TOS:0x0 ID:26834 IpLen:20 DgmLen:28 Type:8 Code:0 ID:32253 Seq:156 ECHO [Xref => http://www.whitehats.com/info/IDS246] Obviously I deny all Traffic to these high ports but stumped to the output. Can anyone explain why Snort does not see a NMAP Syn scan or does stealth mode actually work ? thanks, ~>D
Current thread:
- question ? -> (MISC Large ICMP Packet) cdowns (Dec 30)
- RE: question ? -> (MISC Large ICMP Packet) Ofir Arkin (Dec 30)