Snort mailing list archives

MISC Large ICMP Packet alert on small ICMP packet

From: Bill McCarty <bmccarty () apu edu>
Date: Fri, 22 Mar 2002 20:57:08 -0800

I'm seeing MISC Large ICMP Packet alerts and don't see why. I used nmap toscan one of my hosts, using options -f -sS -p 53. The resulting alert,related to nmap's ping rather than the SYN scan, was:

03/22-20:21:30.429717  [**] [1:499:1] MISC Large ICMP Packet [**] [Class
ification: Potentially Bad Traffic] [Priority: 2] {ICMP} xxx.xxx.xxx.31
-> xxx.xxx.xxx.5


The relevant Snort rule is:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large ICMP
Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown;
sid:499; rev:1;)

This rule seems to look for a datagram size exceeding 800 bytes. But, atcpshow dump of the relevant packet shows a datagram size of only 28 bytes.

Packet 371
        Timestamp:                      20:21:30.429717
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                28 bytes
        Identification:                 0x1775
        Flags:                          MF=off, DF=off
        Fragment Offset:                0
        TTL:                            45
        Encapsulated Protocol:          ICMP
        Header Checksum:                0x2571
        Source IP Address:              xxx.xxx.xxx.31
        Destination IP Address:         xxx.xxx.xxx.5
ICMP Header
        Type:                           echo-request
        Checksum:                       0x1F16
ICMP Data
        ....


I'm clearly missing something. Can someone point me in the right direction?

Thanks, as always!

---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 22)
- Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)
  - Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 23)
    - Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)
- <Possible follow-ups>
- Re: MISC Large ICMP Packet alert on small ICMP packet Mark Cooper (Mar 25)
  - Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 25)