Snort mailing list archives

Re:A new type of ICMP packet

From: Matt Scarborough <vexversa () usa net>
Date: 28 May 2001 21:12:32 EDT

On Fri, 25 May 2001 10:11:30 -0600, Phil Wood  wrote:

Eight unknown ICMP's left my establishment last night at 1 second intervals.


ICMP payload 3f3f 3f3f with TTL 10 indicate Napster. But ICMP code and type
0254 do not.

Then again, if that is ICMP Id 666 (029a) other things may be afoot.

Could you post tcpdump -X so nothing may be lost in the conversion?

Matt Scarborough 2001-05-29

 They all looked like this:
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | VER=4 | IHL=5 | ROU | | | | | | Total Length = 32             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Identification = 48669        | |D| | Fragment Offset = 0     |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |    TTL=10     | Protocol = 1  | Header Checksum = 3596        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Source Address  = 10.0.7.54                                |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Destination Address  = 209.12.75.204                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     RFC792: INTERNET CONTROL MESSAGE PROTOCOL, September 1981
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Type = 2      | Code = 84     | Checksum = 32                 |
 | Unknown Type/Code                                             |
 :  029a0001  3f3f3f3f  00000000  00000000    :     ????         :
 :  00000000  0000                            :                  :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Anyone seeing these?  Snort sees them as "ICMP Unassigned! (Type 2)".


____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A new type of ICMP packet Phil Wood (May 25)
- Re: A new type of ICMP packet Ofir Arkin (May 25)
- <Possible follow-ups>
- Re:A new type of ICMP packet Matt Scarborough (May 28)
  - Re: Re:A new type of ICMP packet Phil Wood (May 28)
  - Re: Re:A new type of ICMP packet Chris Green (May 29)
- Re: A new type of ICMP packet Matt Scarborough (May 29)