Snort mailing list archives
Re: ICMP Large PAcket
From: "Jose Ramon Hernandez Macias" <jhernandez () alestra com mx>
Date: Thu, 20 Mar 2003 16:16:18 -0600
Ok, I finally applied the filter and it´s working, no more ICMP Large Packet NULL, Now, as an example, can anyone tell me what could be this Large ICMP Packet: length = 1472 000 : 9B 39 7A 3E EA 59 0C 00 08 09 0A 0B 0C 0D 0E 0F .9z>.Y.......... 010 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 020 : 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 030 : 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 0123456789:;<=>? 040 : 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F @ABCDEFGHIJKLMNO 050 : 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F PQRSTUVWXYZ[\]^_ 060 : 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F `abcdefghijklmno 070 : 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F pqrstuvwxyz{|}~ 080 : 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ................ 090 : 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F ................ 0a0 : A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF ................ 0b0 : B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF ................ 0c0 : C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF ................ 0d0 : D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF ................ 0e0 : E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF ................ 0f0 : F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF ................ 100 : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ................ 110 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 120 : 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 130 : 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 0123456789:;<=>? 140 : 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F @ABCDEFGHIJKLMNO 150 : 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F PQRSTUVWXYZ[\]^_ 160 : 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F `abcdefghijklmno 170 : 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F pqrstuvwxyz{|}~ 180 : 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ................ 190 : 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F ................ 1a0 : A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF ................ 1b0 : B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF ................ 1c0 : C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF ................ 1d0 : D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF ................ 1e0 : E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF ................ 1f0 : F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF ................ 200 : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ................ 210 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ "Rapidity is the essence of war: take advantage of the enemy´s unreadiness, make your way by unexpected routes, and attack unguarded spots." -- Sun Tzu Jeff Nathan <jeff () snort org> To: Jose Ramon Hernandez Macias/Sistemas/Megacentro/Alestra@Alestra, "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> 20/03/2003 15:15 cc: Erek Adams <erek () snort org> Subject: Re: [Snort-users] ICMP Large PAcket -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose, That looks like a possible programming bug in a piece of software. 1472 bytes is the amount of space available in an Ethernet frame after taking account for the IP header and the 8 byte ICMP header: 1500 - (20 + 8). The fact that you're seeing the payload full of zeros looks like memory was allocated for a full-size Ethernet frame and then no data was put in the Ethernet frame following the ICMP header. The most plausible reason the packet's payload is all zeros is that when memory was allocated for the Ethernet frame, it was zeroed out (ie: malloc() and then memset() or calloc() ... ) - -Jeff - --On Thursday, March 20, 2003 11:11:53 -0600 Jose Ramon Hernandez Macias <jhernandez () alestra com mx> wrote:
Hi dudes, I´m actually receiving a lot of ICMP Large Packet alerts, after I
analyzed
most of the packets I´ve seen all of them are echo request packets with a size of 1472 bytes of NULL, so the alarm is triggered with >800 . My question is do you recommend me to increase the size to >1472 or >1500 ? Thanks Jose "Rapidity is the essence of war: take advantage of the enemy´s unreadiness, make your way by unexpected routes, and attack unguarded spots." -- Sun Tzu ------------------------------------------------------- This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (pgp key available) "Great spirits have always encountered violent opposition from mediocre minds." - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+ei9fEqr8+Gkj0/0RArHTAJoDuNriBclFtBA7qcVdG3od1+b1oQCcCvKB Tl42GIlLq29PGEErSVQq8kQ= =FvXi -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Large PAcket Jose Ramon Hernandez Macias (Mar 20)
- Re: ICMP Large PAcket Matt Kettler (Mar 20)
- Re: ICMP Large PAcket Jeff Nathan (Mar 20)
- <Possible follow-ups>
- Re: ICMP Large PAcket Jose Ramon Hernandez Macias (Mar 20)