Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is this a valid traffic?

From: Skip Carter <skip () taygeta com>
Date: Wed, 03 Apr 2002 09:39:32 -0800


This is an icmp packet. But I don't know if it's valid.
Comments please. Thanks.

04/02-23:48:49.573330 w.x.y.z -> 12.248.252.154
ICMP TTL:226 TOS:0x0 ID:62326 IpLen:20 DgmLen:1500 DF
Type:8  Code:0  ID:0   Seq:0  ECHO
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................



neil camara (neil () restricted dyndns org) - cc{na|sa}, mcse - pgp 0x777777B2


  This is an echo request packet, the type generated by a 'ping' program.
  There are two unusual things about it:

        -- it is zero filled.  This is not necessarily suspicious; its just that since
           the payload of an echo request packet is not used, some OS's just 
send random
           data (whatever happened to be in the allocated memory block) and 
others zero
           fill it.  Because of this, the fact that it zero filled can be 
helpful in
           identifying the OS of the sending system.

 
        -- the packet size is 1500 bytes.   There is never any reason for an 
ICMP packet
           to be larger than 128 bytes.  So a packet this size may be part of 
an OS recon
           scan of your network (different OSs will respond differently to a 
large ICMP packet).


    These packets are pretty common.  I wouldn't worry about them unless the 
contained nonzero
    data (indicating a possible covert data channel), where extremely frequent 
(maybe a DOS attempt),
    or associated with other activity.


-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: