Snort mailing list archives
Re: Cyberkit signature
From: Andrew.Patrick () kemperservices com
Date: Fri, 22 Aug 2003 15:59:17 -0500
Nachi puts out a 92 byte ICMP type 0 (echo request) packet with a 64 byte payload of "a"'s.
Nachi sends out ICMP Type 8, Code 0 packets (echo request). Clients that answer it will be sending ICMP Type 0, Code 0 (echo reply). These replies WILL also have the string of "aaaaaaa" in the payload, but seeing a reply does not prove that the system replying is infected. Try to filter on the ICMP Type 8, Code 0 combo AND the "aaaaaa"s in the content... Andy Patrick, GCIA, CCNA Sr. Info. Security Analyst x3621 DISCLAIMER: This communication, along with any documents, files or attachments, is intended only for the use of the addressee and may contain legally privileged and confidential information. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of any information contained in or attached to this communication is strictly prohibited. If you have received this message in error, please notify the sender immediately and destroy the original communication and its attachments without reading, printing or saving in any manner. This communication does not form any contractual obligation on behalf of the sender or, the sender's employer, or the employer's parent company, affiliates or subsidiaries.
Current thread:
- Re: Cyberkit signature, (continued)
- Re: Cyberkit signature Frank Knobbe (Aug 22)
- RE: Cyberkit signature Eric Hines (Sep 02)
- RE: Cyberkit signature Eric Hines (Sep 02)
- Re: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Eric Greenberg (Aug 22)
- Re: Cyberkit signature Patrick Dolan (Aug 23)
- RE: Cyberkit signature Tony Bunce (Aug 22)
- RE: Cyberkit signature Schmehl, Paul L (Aug 22)
- RE: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Tony Bunce (Aug 22)
- Re: Cyberkit signature Andrew . Patrick (Aug 25)
- RE: Cyberkit signature Smith, Donald (Aug 25)