Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: question ? -> (MISC Large ICMP Packet)

From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 31 Dec 2001 00:46:23 -0000
Well,
 
I can answer for the first part [the /var/log/snort/alert ICMP entry].
NMAP starts ANY scan by sending an ICMP echo request without any payload
to the target. No “legal” ICMP echo request is being sent without a
payload this is the reason you see the entry in /var/log/snort/alert for
suspicious activity.
 
For the SYN stealth scan you produced with NMAP:
When you produce a SYN stealth scan with NMAP, it sends a SYN request to
a targeted port (your case TCP 5000).
Than NMAP sends a SYN request to the port. If the port is closed you
will receive a RST back. If not you will receive a SYN/ACK and NMAP will
respond with a RST to tear down the connection.
 
Hope this helps
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of cdowns
Sent: א 30 דצמבר 2001 18:08
To: snort-users () lists sourceforge net
Subject: [Snort-users] question ? -> (MISC Large ICMP Packet)
 
Morning All, 
    Out of curiosity I decided to check my network for port 5000 tcp.
Just for the hell of it and to see how Snort will react to someone
snooping for the new Xsploit.c  tcp 5000 windows ME/XP remote DOS/Shell.
here I used a really basic NMAP Stealth Syn scan and here is the reply
in the /var/log/snort/alert: 
Scan: 
blasphemy# nmap -sS -p 5000 64.28.89.32/27 
Logged: 
[**] [1:499:1] MISC Large ICMP Packet [**] 
[Classification: Potentially Bad Traffic] [Priority: 2] 
12/30-12:56:06.091068 24.128.143.28 -> 64.28.89.63 
ICMP TTL:17 TOS:0x0 ID:26834 IpLen:20 DgmLen:28 
Type:8  Code:0  ID:32253   Seq:156  ECHO 
[Xref => http://www.whitehats.com/info/IDS246] 
Obviously I deny all Traffic to these high ports but stumped to the
output. Can anyone explain why Snort does not see a NMAP Syn  scan or
does stealth mode actually work ? 
thanks, 
~>D
Previous By Date Next
Previous By Thread Next

Current thread: