Firewall Wizards mailing list archives
Re: New Script Kiddie tool ?
From: "H. Morrow Long" <morrow.long () yale edu>
Date: Fri, 23 Aug 2002 11:02:07 -0400
208.184.139.82 is 208.184.139.82.speedera.com 208.185.54.14 is 208.185.54.14.speedera.com Speedera (www.speedera.com) is a streaming content delivery company. I noticed that Snort added a new signature recently (in the last year) called the 'speedera ping'. It would appear that Speedera may be trying to gauge the QoS RTT between one of their streaming servers and an endpoint by using the ICMP Echo packets. The Snort rule from the std snort db is: icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; sid:480; classtype:misc-activity; rev:2;) H. Morrow Long University Information Security Officer Yale University, ITS, Dir. InfoSec Office Peter Robinson wrote:
G/Day all Has any one seem this sort of probe ?? It apears from all over the place and it seems to be spaced exactly 10 seconds appart. I am assuming this is a tool of sorts.. Source Address=208.184.139.82 Aug 22 14:04:21 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8 Aug 22 14:04:31 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8 Aug 22 14:04:41 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8 Aug 22 14:04:51 Firewall 208.184.139.82 61.x.x.x----UDP 53 Aug 22 14:05:01 Firewall 208.184.139.82 61.x.x.x----UDP 53 Aug 22 17:00:03 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8 Aug 22 17:00:13 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8 Aug 22 17:00:23 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8 Aug 22 17:00:33 Firewall 208.184.139.82 61.x.x.x----UDP 53 Aug 22 17:00:43 Firewall 208.184.139.82 61.x.x.x----UDP 53 Source Address=208.185.54.14 Aug 22 14:04:21 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 14:04:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 14:04:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 14:04:52 Firewall 208.185.54.14 61.x.x.x----UDP 53 Aug 22 14:05:02 Firewall 208.185.54.14 61.x.x.x----UDP 53 Aug 22 15:53:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:52 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 15:54:02 Firewall 208.185.54.14 61.x.x.x----UDP 53 Aug 22 15:54:12 Firewall 208.185.54.14 61.x.x.x----UDP 53 Aug 22 17:00:02 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 17:00:12 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 17:00:22 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8 Aug 22 17:00:32 Firewall 208.185.54.14 61.x.x.x----UDP 53 Aug 22 17:00:42 Firewall 208.185.54.14 61.x.x.x----UDP 53 Source Address=208.225.197.194 Aug 22 15:53:35 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:45 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:55 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8 Aug 22 15:54:05 Firewall 208.225.197.194 61.x.x.x----UDP 53 Aug 22 15:54:15 Firewall 208.225.197.194 61.x.x.x----UDP 53 Source Address=208.254.18.130 Aug 22 15:53:31 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:41 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:51 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8 Aug 22 15:54:02 Firewall 208.254.18.130 61.x.x.x----UDP 53 Aug 22 15:54:11 Firewall 208.254.18.130 61.x.x.x----UDP 53 Source Address=208.254.75.130 Aug 22 15:53:32 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:42 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8 Aug 22 15:53:52 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8 Aug 22 15:54:02 Firewall 208.254.75.130 61.x.x.x----UDP 53 Aug 22 15:54:12 Firewall 208.254.75.130 61.x.x.x----UDP Peter Robinson Senior Security Engineer - Sydney DeMorgan Information Security Specialists robinson_p () demorgan com au, www.demorgan.com.au, Tel. 1800 336 674 Tel. +61 2 9929-0377 Fax +61 2 9499 4885 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
- Re: X11 forwarding David Lang (Aug 23)
- Re: X11 forwarding Brian Hatch (Aug 23)
- Re: X11 forwarding Kevin Steves (Aug 26)
- Re: X11 forwarding Pierre Blanchet (Aug 27)
- Re: X11 forwarding Kevin Steves (Aug 27)