Re: (new?) worm or bot signature - echo request

["Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>]

Scott Nursten wrote:

> What version of Snort is this? If it's 1.8.3,

It was a snort 1.8.1 on solaris 8/sparc

> there were some problems with the stream4 (I think) preprocessor which was
> allowing for some pretty
> unbelievable packet mangling by the time it hit the log :)

> Your packet looks like a ICMP mangled with DHCP/BOOTP...!?

> I could be wrong, but I don't see why DHCP info would be in an ICMP packet...!

I don't see either. There is no dhcp server on the network snort is listening on,
our dhcp server is not serving any 192.168.0.* address, the mac address is not one
of ours.
I bet the icmp packet did really contained this data, it is probably not a snort
bug.
Another alternative is a flaw in the ip stack of the sender. I've sometimes seen
packets (especially reset) containing data they should not contain (i.e. a browser
sending back part of the server's answer). Although I sometimes suspect some snort
undocumented features, I've seen the same king of behaviour in snoop outputs.

I had never looked at dhcp packets, at least, I learned what dhcp packets looks like
now. I was thinking of some malicious code reporting back their activity.

> Anyone else got any ideas?
>
> > I received a strange icmp packet. The payload contains
> > SERVER Offered         | Offering: 192.168.0.31  To: 0030651278CF  By:19
> >
> > 213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users