Snort mailing list archives
Re: (new?) worm or bot signature - echo request
From: ICPPhila_Email_Review () icpphil navy mil
Date: Tue, 5 Feb 2002 06:45:40 -0500
What version of Snort is this? If it's 1.8.3, there were some problems with the stream4 (I think) preprocessor which was allowing for some pretty unbelievable packet mangling by the time it hit the log :) You packet looks like a ICMP mangled with DHCP/BOOTP...!? I could be wrong, but I don't see why DHCP info would be in an ICMP packet...! Anyone else got any ideas? Regards, Scott Nursten On 31/1/02 18:48, "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be> wrote:
I received a strange icmp packet. The payload contains SERVER Offered | Offering: 192.168.0.31 To: 0030651278CF By:19 (0030651278CF=207854139599=3014504474317(oct)=0.48.101.18.120.207 which doesn't mean anything for me) A search on google gave me no good result, the only potentially usefull link is: http://www.wi2600.org/mediawhore/nf0/wireless/dumps/madison-minakwa-and-briar- hill/Data/Briar%20Hill%20International.libpcap [**] IDS171/icmp_ping zeros [**] 01/31-15:07:15.772291 type:0x800 len:0x86 213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20 DgmLen:120 DF Type:8 Code:0 ID:1376 Seq:23296 ECHO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 20 53 45 52 56 45 52 20 4F 66 66 65 72 65 .. SERVER Offere 64 20 20 20 20 20 20 20 20 20 7C 20 4F 66 66 65 d | Offe 72 69 6E 67 3A 20 31 39 32 2E 31 36 38 2E 30 2E ring: 192.168.0. 33 31 20 20 54 6F 3A 20 30 30 33 30 36 35 31 32 31 To: 00306512 37 38 43 46 20 20 42 79 3A 20 31 39 78CF By: 19 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS171/icmp_ping zeros [**] 01/31-15:07:15.780343 type:0x800 len:0x86 213.221.141.64 -> 195.72.91.yyy ICMP TTL:234 TOS:0x0 ID:23288 IpLen:20 DgmLen:120 DF Type:8 Code:0 ID:1376 Seq:23552 ECHO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 20 53 45 52 56 45 52 20 4F 66 66 65 72 65 .. SERVER Offere 64 20 20 20 20 20 20 20 20 20 7C 20 4F 66 66 65 d | Offe 72 69 6E 67 3A 20 31 39 32 2E 31 36 38 2E 30 2E ring: 192.168.0. 33 31 20 20 54 6F 3A 20 30 30 33 30 36 35 31 32 31 To: 00306512 37 38 43 46 20 20 42 79 3A 20 31 39 78CF By: 19 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ # whois -h whois.ripe.net 213.221.141.64 % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 213.221.139.0 - 213.221.141.255 netname: TVS2NET descr: tvs2net headend dransnet lancity country: CH admin-c: PAM49-RIPE tech-c: OC609-RIPE rev-srv: dns1.netplus.ch notify: noc () vsnet ch mnt-by: AS15547-MNT status: ASSIGNED PA changed: pa.matthey () vsnet ch 20011126 source: RIPE route: 213.221.128.0/19 descr: Cablecom Holding AG descr: Zollstrasse42 descr: CH-8021 Zuerich descr: SWITZERLAND origin: AS8404 holes: 213.221.158.0/24 notify: lir-mnt () cablecom ch mnt-by: AS8404-MNT changed: felix.giger () cablecom ch 20010711 source: RIPE person: Pierre-Alain Matthey address: TVS2NET address: Rue de l'industrie 43 address: CH-1951 SION address: SWITZERLAND phone: +41273240469 fax-no: +41273240412 e-mail: pa.matthey () vsnet ch nic-hdl: PAM49-RIPE changed: pa.matthey () vsnet ch 20011008 source: RIPE person: Olivier Crettenand address: Energie de Sion Region SA address: Rue de l'Industrie 43 address: CH-1951 Sion address: Switzerland phone: + 41 27 324 0473 fax-no: + 41 27 324 0412 e-mail: olivier.crettenand () vsnet ch nic-hdl: OC609-RIPE notify: hostmaster () switch ch changed: hostmaster () switch ch 20010517 source: RIPE _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (new?) worm or bot signature - echo request Stephane Nasdrovisky (Jan 31)
- Re: (new?) worm or bot signature - echo request Scott Nursten (Feb 04)
- Re: (new?) worm or bot signature - echo request Stephane Nasdrovisky (Feb 05)
- <Possible follow-ups>
- Re: (new?) worm or bot signature - echo request ICPPhila_Email_Review (Feb 05)
- Re: (new?) worm or bot signature - echo request ICPPhila_Email_Review (Feb 05)
- Re: (new?) worm or bot signature - echo request Scott Nursten (Feb 04)