![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: (new?) worm or bot signature - echo request
From: "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>
Date: Tue, 05 Feb 2002 20:39:32 +0100
Scott Nursten wrote:
What version of Snort is this? If it's 1.8.3,
It was a snort 1.8.1 on solaris 8/sparc
there were some problems with the stream4 (I think) preprocessor which was allowing for some pretty unbelievable packet mangling by the time it hit the log :)
Your packet looks like a ICMP mangled with DHCP/BOOTP...!?
I could be wrong, but I don't see why DHCP info would be in an ICMP packet...!
I don't see either. There is no dhcp server on the network snort is listening on, our dhcp server is not serving any 192.168.0.* address, the mac address is not one of ours. I bet the icmp packet did really contained this data, it is probably not a snort bug. Another alternative is a flaw in the ip stack of the sender. I've sometimes seen packets (especially reset) containing data they should not contain (i.e. a browser sending back part of the server's answer). Although I sometimes suspect some snort undocumented features, I've seen the same king of behaviour in snoop outputs. I had never looked at dhcp packets, at least, I learned what dhcp packets looks like now. I was thinking of some malicious code reporting back their activity.
Anyone else got any ideas?I received a strange icmp packet. The payload contains SERVER Offered | Offering: 192.168.0.31 To: 0030651278CF By:19 213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (new?) worm or bot signature - echo request Stephane Nasdrovisky (Jan 31)
- Re: (new?) worm or bot signature - echo request Scott Nursten (Feb 04)
- Re: (new?) worm or bot signature - echo request Stephane Nasdrovisky (Feb 05)
- <Possible follow-ups>
- Re: (new?) worm or bot signature - echo request ICPPhila_Email_Review (Feb 05)
- Re: (new?) worm or bot signature - echo request ICPPhila_Email_Review (Feb 05)
- Re: (new?) worm or bot signature - echo request Scott Nursten (Feb 04)