Snort mailing list archives
FW: Strange ICMP Log
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Tue, 22 Apr 2003 15:11:54 -0500
Hi, Earlier, I sent the email below regarding ICMP not using the correct signature. After some testing I have found that it has to do with the rule application order. If I use the '-o' or the statement 'config order: pass alert log', the problem exists. If the standard order is used, all works as expected. --------------------------Original Email--------------------------------- I had a large number of ICMP alerts that appear to me to be the wrong signature. They were all some type of "undefined code or type" ICMP alert. This started sometime after upgrading to Snort 2.0. The sample below is from ACID v0.9.6b23 and the tcpdump of the snort packet capture file. I am running Snort 2.0.0 (build 72) on Red Hat 7.3 with a default icmp-info.rules v 1.12. I find no reason this should not have triggered one of the other ICMP rules. It does have a type of 8 and a code of 0. It does seem odd that there is no ID or Seq. Number values, but that should not have impacted the rule. Any ideas on this would be greatly appreciated. ----------------------------ACID------------------------------ Meta ID # Time Triggered Signature 30 - 54604 2003-04-22 08:07:24 [snort] ICMP PING (Undefined Code!) Sensor name interface filter sensor eth1 none Alert Group none IP source addr dest addr Ver Hdr Len TOS length ID flags offset TTL chksum 205.227.136.40 68.98.203.7 4 5 128 64 58485 0 0 50 15954 Options none ICMP type code checksum id seq # (8) Echo Request (0) 0 49872 Payload length = 36 000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 020 : 00 00 00 00 .... -----------------------TCPDUMP--------------------------- 08:07:24.103304 205.227.136.40 > 68.98.203.7: icmp: echo request [tos 0x80] 0x0000 4580 0040 e475 0000 3201 3e52 cde3 8828 E..@.u..2.>R...( 0x0010 4462 cb07 0800 c2d0 352f 0000 0000 0000 Db......5/...... 0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ Thanks, Ron Shuck, CISSP, GCIA - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org http://www.giac.org
Attachment:
smime.p7s
Description:
Current thread:
- Strange ICMP Log Ron Shuck (Apr 22)
- <Possible follow-ups>
- FW: Strange ICMP Log Ron Shuck (Apr 22)