Snort mailing list archives
Re: MISC Large ICMP Packet alert on small ICMP packet
From: John Sage <jsage () finchhaven com>
Date: Sat, 23 Mar 2002 12:51:51 -0800
Bill: Here's a wild thought: On Fri, Mar 22, 2002 at 08:57:08PM -0800, Bill McCarty wrote:
I'm seeing MISC Large ICMP Packet alerts and don't see why. I used nmap to scan one of my hosts, using options -f -sS -p 53. The resulting alert, related to nmap's ping rather than the SYN scan, was:03/22-20:21:30.429717 [**] [1:499:1] MISC Large ICMP Packet [**] [Class ification: Potentially Bad Traffic] [Priority: 2] {ICMP} xxx.xxx.xxx.31 -> xxx.xxx.xxx.5
Typically icmp representation is not talking about ports, even though the presentation by snort "xxx.xxx.xxx.31" and "xxx.xxx.xxx.5" tends to confuse newcomers. Rather, icmp refers to type:code combinations. There _is_ an icmp type 31, code 5; see: ftp://ftp.isi.edu/in-notes/rfc1475.txt Specifically: <snip> "6.2 Conversion failed ICMP message The introduction of network layer conversion requires a new message type, to report conversion errors. Note that an invalid datagram should result in the sending of some other ICMP message (e.g., parameter problem) or the silent discarding of the datagram. This message is only sent when a valid datagram cannot be converted. The type for Conversion Failed is 31. The codes are: 0 Unknown/unspecified error 1 Don't Convert option present 2 Unknown mandatory option present 3 Known unsupported option present 4 Unsupported transport protocol 5 Overall length exceeded <snip> So, (Hey! I said this was a wild thought.. :-/ ) perhaps this is an icmp representation of a packet that failed conversion, due to "overall length exceeded" Something like an icmp "destination unreachable" which would contain the beginnings of the offending packet; but in this case, this is reporting an overlength packet that triggered the snort rule, but _this_ icmp packet itself is of normal, shorter length... I dunno.. ..I said it was a wild thought. I'll just go back to sleep, now. - John -- The weirdest thing about Window$ is that it's so opaque
The relevant Snort rule is:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:1;)This rule seems to look for a datagram size exceeding 800 bytes. But, a tcpshow dump of the relevant packet shows a datagram size of only 28 bytes.Packet 371 Timestamp: 20:21:30.429717 IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 28 bytes Identification: 0x1775 Flags: MF=off, DF=off Fragment Offset: 0 TTL: 45 Encapsulated Protocol: ICMP Header Checksum: 0x2571 Source IP Address: xxx.xxx.xxx.31 Destination IP Address: xxx.xxx.xxx.5 ICMP Header Type: echo-request Checksum: 0x1F16 ICMP Data ....I'm clearly missing something. Can someone point me in the right direction? Thanks, as always! --------------------------------------------------- Bill McCarty
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 22)
- Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)
- Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 23)
- Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)
- Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 23)
- <Possible follow-ups>
- Re: MISC Large ICMP Packet alert on small ICMP packet Mark Cooper (Mar 25)
- Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 25)
- Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)