Snort mailing list archives
Re: Does ICMP detection work or what?
From: François Désarménien <francois () fdesar net>
Date: Fri, 29 Jun 2001 09:56:38 +0200
Thu, 28 Jun 2001 17:22:27 -0600 (MDT) Ryan Russell <ryan () securityfocus com> wrote:
On Thu, 28 Jun 2001, Sheahan, Paul (PCLN-NW) wrote: Ping and ICMP aren't the same thing, ping only accounts for two ICMP types, and there are quite a few more (as evidenced by your examples.) What kind of firewall do you have, and what exactly does the rule say?
Couldn't it be related to the problem Phil told us last night :
Phil Wood wrote : In my case the problem of trash icmp types and codes is the result of a problem with snort. It appears related to the defrag preprocessor. I have documented, using tcpdump and snort in parallel, that valid ICMP packets (as seen by tcpdump), end up in snort with some memory (not associated with any packet) appended to a perfectly valid IP header (with proto of ICMP). Tcpdump shows two fragments (out of order) which together make up an icmp packet. Snort's defrag constructs the complete ICMP packet with the identical IP header, but crud from some place in snort's memory as ICMP header and DATA.
François _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does ICMP detection work or what? Sheahan, Paul (PCLN-NW) (Jun 28)
- Re: Does ICMP detection work or what? Ryan Russell (Jun 28)
- Re: Does ICMP detection work or what? François Désarménien (Jun 29)
- Re: Does ICMP detection work or what? Dragos Ruiu (Jun 29)
- Re: Does ICMP detection work or what? François Désarménien (Jun 29)
- Re: Does ICMP detection work or what? Ryan Russell (Jun 28)