Snort mailing list archives

question ? -> (MISC Large ICMP Packet)

From: cdowns <cdowns () lifeatzero com>
Date: Sun, 30 Dec 2001 13:07:59 -0500

Morning All,
    Out of curiosity I decided to check my network for port 5000 tcp.
Just for the hell of it and to see how Snort will react to someone
snooping for the new Xsploit.c  tcp 5000 windows ME/XP remote DOS/Shell.
here I used a really basic NMAP Stealth Syn scan and here is the reply
in the /var/log/snort/alert:

Scan:
blasphemy# nmap -sS -p 5000 64.28.89.32/27

Logged:
[**] [1:499:1] MISC Large ICMP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/30-12:56:06.091068 24.128.143.28 -> 64.28.89.63
ICMP TTL:17 TOS:0x0 ID:26834 IpLen:20 DgmLen:28
Type:8  Code:0  ID:32253   Seq:156  ECHO
[Xref => http://www.whitehats.com/info/IDS246]

Obviously I deny all Traffic to these high ports but stumped to the
output. Can anyone explain why Snort does not see a NMAP Syn  scan or
does stealth mode actually work ?

thanks,
~>D

Current thread:

question ? -> (MISC Large ICMP Packet) cdowns (Dec 30)
- RE: question ? -> (MISC Large ICMP Packet) Ofir Arkin (Dec 30)