Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDOS TFN Probe, false positive?

From: John Sage <jsage () finchhaven com>
Date: Wed, 05 Dec 2001 23:14:11 -0800
Shane:

The rule itself (at least that I have with 1.8.2..) states:

alert icmp $EXTERNAL_NET any -> $HOME_NET any

(msg:"DDOS TFN Probe"; id: 678; itype: 8; content: "1234";

reference:arachnids,443; classtype:attempted-recon; sid:221; rev:1;)
So this is a ping (icmp (itype) 8) with the explicit content "1234" somewhere in the optional data portion of the icmp packet... 

So, do you have something to worry about?
I would have you take a look at the entire icmp packet, and take a look here: 

http://staff.washington.edu/dittrich/misc/tfn.analysis


Here's a snapshot of what the "1234" thing is about:

----------------------------------------------------------------
# tcpdump -lenx -s 1518 icmp | tcpshow -noip -nolink -cooked
tcpdump: listening on eth0
Packet 1

ICMP Header
Type: echo-request
Checksum: 0x9B2A
Id: 0x6E03
Sequence: 0x0000

ICMP Data
q..8x.
..
..................... !"#$%&'()*+,-./01234567
-----------------------------------------------------------------



HTH..

- John


Shane Machon wrote:


Greetings,

Do I have something to be worried about here?

Dec  6 hh:mm:ss myhost snort[21296]: [1:221:1] DDOS TFN Probe
Classification: Attempted Information Leak] [Priority: 2]: {ICMP}
xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy

The scan was from our gateway (xxx.xxx.xxx.xxx), running redhat 7.0 with
snort 1.8.1 rpm. The destination to one of our remote servers (yyy.yyy.yyy.yyy). 
xxx.xxx.xxx.xxx actually has ICMP echo requests being denied, could this
be a false possitive? This is the first time i have seen it in my logs
since running snort (about 3 months now).

Am i just being paranoid or could this be a problem....


Any help appreciated!


Cheers,

SHANE MACHON
Network Administrator
Technical Project Manager
Two Purple Plums Pty Ltd.
TPP Internet Development (NetNames Australasia) PO Box 334, Manly NSW, 1655, Australia Tel. +61 2 9970 5242 Fax. +61 2 9970 8262 Eml. shane () twoplums com au 




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: