Snort mailing list archives
Strange ICMP Log
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Tue, 22 Apr 2003 09:26:58 -0500
Hi, I had a large number of ICMP alerts that appear to me to be the wrong signature. They were all some type of "undefined code or type" ICMP alert. This started sometime after upgrading to Snort 2.0. The sample below is from ACID v0.9.6b23 and the tcpdump of the snort packet capture file. I am running Snort 2.0.0 (build 72) on Red Hat 7.3 with a default icmp-info.rules v 1.12. I find no reason this should not have triggered one of the other ICMP rules. It does have a type of 8 and a code of 0. It does seem odd that there is no ID or Seq. Number values, but that should not have impacted the rule. Any ideas on this would be greatly appreciated. ----------------------------ACID------------------------------ Meta ID # Time Triggered Signature 30 - 54604 2003-04-22 08:07:24 [snort] ICMP PING (Undefined Code!) Sensor name interface filter sensor eth1 none Alert Group none IP source addr dest addr Ver Hdr Len TOS length ID flags offset TTL chksum 205.227.136.40 68.98.203.7 4 5 128 64 58485 0 0 50 15954 Options none ICMP type code checksum id seq # (8) Echo Request (0) 0 49872 Payload length = 36 000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 020 : 00 00 00 00 .... -----------------------TCPDUMP--------------------------- 08:07:24.103304 205.227.136.40 > 68.98.203.7: icmp: echo request [tos 0x80] 0x0000 4580 0040 e475 0000 3201 3e52 cde3 8828 E..@.u..2.>R...( 0x0010 4462 cb07 0800 c2d0 352f 0000 0000 0000 Db......5/...... 0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ Thanks, Ron Shuck, CISSP, GCIA - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org http://www.giac.org
Attachment:
smime.p7s
Description:
Current thread:
- Strange ICMP Log Ron Shuck (Apr 22)
- <Possible follow-ups>
- FW: Strange ICMP Log Ron Shuck (Apr 22)