Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A new type of ICMP packet

From: Matt Scarborough <vexversa () usa net>
Date: 29 May 2001 04:21:30 EDT
On Mon, 28 May 2001 22:55:48 -0600, Phil Wood wrote:

On Mon, May 28, 2001 at 09:12:32PM -0400, Matt Scarborough wrote:

On Fri, 25 May 2001 10:11:30 -0600, Phil Wood  wrote:


Eight unknown ICMP's left my establishment last night at 1 second

intervals.


ICMP payload 3f3f 3f3f with TTL 10 indicate Napster. But ICMP code and

type

0254 do not.

Then again, if that is ICMP Id 666 (029a) other things may be afoot.

Could you post tcpdump -X so nothing may be lost in the conversion?


It's the MNOPQRST seqeuence!  %^) 


OK. Close though. FWIW anyhow
http://archives.neohapsis.com/archives/incidents/2001-02/0329.html


19:43:27.524954 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
 45000020  be1d4000  5e01ba0b  0a000736  d10c4bcc : E     @ ^      6  K  :
 024d0020  029a0001  3f3f3f3f  00000000  00000000 :  M      ????         :
 00000000  0000                                   :                      :
19:43:28.684491 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
 45000020  be1d4000  5201c60b  0a000736  d10c4bcc : E     @ R      6  K  :
 024e0020  029a0001  3f3f3f3f  00000000  00000000 :  N      ????         :
 00000000  0000     


____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: