Snort mailing list archives
Re: DDOS TFN Probe, false positive?
From: John Sage <jsage () finchhaven com>
Date: Wed, 05 Dec 2001 23:14:11 -0800
Shane: The rule itself (at least that I have with 1.8.2..) states: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id: 678; itype: 8; content: "1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:1;)So this is a ping (icmp (itype) 8) with the explicit content "1234" somewhere in the optional data portion of the icmp packet...
So, do you have something to worry about?I would have you take a look at the entire icmp packet, and take a look here:
http://staff.washington.edu/dittrich/misc/tfn.analysis Here's a snapshot of what the "1234" thing is about: ---------------------------------------------------------------- # tcpdump -lenx -s 1518 icmp | tcpshow -noip -nolink -cooked tcpdump: listening on eth0 Packet 1 ICMP Header Type: echo-request Checksum: 0x9B2A Id: 0x6E03 Sequence: 0x0000 ICMP Data q..8x. .. ..................... !"#$%&'()*+,-./01234567 ----------------------------------------------------------------- HTH.. - John Shane Machon wrote:
Greetings, Do I have something to be worried about here? Dec 6 hh:mm:ss myhost snort[21296]: [1:221:1] DDOS TFN Probe Classification: Attempted Information Leak] [Priority: 2]: {ICMP} xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy The scan was from our gateway (xxx.xxx.xxx.xxx), running redhat 7.0 withsnort 1.8.1 rpm. The destination to one of our remote servers (yyy.yyy.yyy.yyy).xxx.xxx.xxx.xxx actually has ICMP echo requests being denied, could this be a false possitive? This is the first time i have seen it in my logs since running snort (about 3 months now). Am i just being paranoid or could this be a problem.... Any help appreciated! Cheers, SHANE MACHON Network Administrator Technical Project Manager Two Purple Plums Pty Ltd.TPP Internet Development (NetNames Australasia) PO Box 334, Manly NSW, 1655, Australia Tel. +61 2 9970 5242 Fax. +61 2 9970 8262 Eml. shane () twoplums com au
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DDOS TFN Probe, false positive? Shane Machon (Dec 05)
- Re: DDOS TFN Probe, false positive? John Sage (Dec 05)