Snort mailing list archives
RE: Icmp Ping
From: Jim Hendrick <jrhendri () maine rr com>
Date: Thu, 18 Mar 2004 09:19:11 -0500
I agree that the box(es) involved should be thoroughly examined. It *does* seem a bit obvious for any sort of covert "communications", but still... I would also suggest watching for any other strange ICMP traffic on your LAN (not just to/from those boxes and not just with this payload). Could be somone messing with a tool (and your head) or it could be something more serious. The destination IP may not even be the intended recipient (or even that important) if the "real" recipient could just see the traffic, implying you should look at all boxes that might be able to see that traffic, whether on the same switch, or having access to a router/firewall in the path, etc. Then again, maybe I'm just being paranoid... Jim On Thu, 2004-03-18 at 06:30, Jerry Shenk wrote:
That showed up on this list once before (http://groups.google.com/groups?q=icmp+please+help+matrix+catch+me&hl=e n&lr=&ie=UTF-8&oe=UTF-8&selm=I5u_a.85213%247O4.1995953%40twister.rdc-kc. rr.com&rnum=1) and also on the comp.security.misc newsgroup (http://groups.google.com/groups?q=icmp+please+help+matrix+catch+me&hl=e n&lr=&ie=UTF-8&oe=UTF-8&selm=aa34f8a6.0307300004.60fadc8d%40posting.goog le.com&rnum=4). I didn't remember but google did;) What that traffic originating from one of your boxes or coming in? I'd give the related box a serious check. First thought was a back door but then the question is, "Why be so obvious?" How long a period of time did this traffic involve? Is it still going on? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of cc Sent: Thursday, March 18, 2004 4:38 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Icmp Ping Hi, I was looking at ACID's report for the first time this month and noticed the extraordinary amount of ICMP PINGs. I took a look at one, and was surprised to find the following as the payload: 000 : 50 6C 65 61 73 65 20 68 65 6C 70 20 6D 65 2C 20 Please help me, 010 : 6D 61 74 72 69 78 20 63 61 74 63 68 20 6D 65 20 matrix catch me That Can't be a ping. Can someone point out whether or not I fuzzed up my snort configuration? Thanks. Edmund ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Icmp Ping cc (Mar 18)
- RE: Icmp Ping Jerry Shenk (Mar 18)
- RE: Icmp Ping Jim Hendrick (Mar 18)
- Re: Icmp Ping cc (Mar 18)
- RE: Icmp Ping Jerry Shenk (Mar 19)
- Re: Icmp Ping cc (Mar 18)
- RE: Icmp Ping Jim Hendrick (Mar 18)
- RE: Icmp Ping Lucretia Enterprises (Mar 19)
- RE: Icmp Ping Jim Hendrick (Mar 18)
- RE: Icmp Ping Jerry Shenk (Mar 18)