Re: Large ICMP Packets with strange payload

[Eric Landuyt <eric () datarescue com>]

Hello Brennan,

BB> I do not like seeing strings like "arpspoof", "frag/defrag",
BB> "stream_reassemble", "portscan", "rpc_decode", and "telnet_decode"  in Large
BB> ICMP Packets.

BB> Is this a Loki style covert communication channel, or just normal traffic?

Fortunately, I think that this is not the case here.
If I remember some preceding browsing in Snort's source code ;),
most of the strings we found at the END OF THE  DUMP (not the end of the
packet... I'll explain further) are identifiers/function
names/params/... from Snort's itself.
For example, we can find "stream4_reassemble" (relative to stream
reassembling engine), or "spade-homenet" (relative to Spade -
Statistical Packet Anomaly Detection Engine, a Snort preprocessor
plugin).

In the same way, we also observe some strings usually relative to
DNS traffic, like "A.ROOT-SERVERS.NET", for example.

If we look carefully at informations from the header, we can observe
IpLen = 20 and DgmLen = 28: we can thus deduce that the exact ICMP
datagram size was in fact 8 bytes.
Probably, your ICMP packet was simply something like:
00 00 00 00 00 00 00 00

My personal opinion is that an eventual bug (??!!) exists in Snort's
dump function (dumping too many bytes), and thus gave us those extra
dump bytes, resulting in printing bytes from packets/informations
previously stored at the address of your ICMP datagram in memory,
and overwriten by this datagram.

Hope this helps,
--
Eric Landuyt, Developper - mailto:eric () datarescue com
DataRescue sa/nv, Home of the IDA Pro Disassembler - http://www.datarescue.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com