Snort mailing list archives
RE: ICMP Packets.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Mon, 26 Aug 2002 21:37:12 -0400
Yeah we were pretty sure that this is some sort of JPEG information in the ICMP packet. I have seen some other activity between ports 88 and 1107 as well with the hosts involved in the ICMP conversations. I did manage to come across another post somewhere else talking about this same kind of activity, this was the post. http://cert.uni-stuttgart.de/archive/intrusions/2002/05/msg00430.html If anybody else has any helpful insight it would be appreciated. Thanks! vjl -----Original Message----- From: Skip Carter [mailto:skip () taygeta com] Sent: Monday, August 26, 2002 9:20 PM To: larosa, vjay Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICMP Packets.
Anybody recognize this payload? It is part of an ICMP packet. I have searched google and haven't found any reason why I would see this data in an ICMP echo packet. Awfull suspicous.... vjl FF D8 FF FE 00 08 57 41 4E 47 32 02 FF E0 00 10 ......WANG2..... 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB JFIF.....`.`.... 00 43 00 10 0B 0C 0E 0C 0A 10 0E 0D 0E 12 11 10 .C.............
The JFIF is part of the header information in a JPEG image file. If somebody is really tunneling image files through an ICMP connection that is definitely not good (who knows what else is moving that way). -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Skip Carter (Aug 26)
- Re: ICMP Packets. Jim Burwell (Aug 26)
- <Possible follow-ups>
- RE: ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Jason Haar (Aug 26)
- RE: ICMP Packets. Rich Adamson (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- Re: ICMP Packets. Matt Kettler (Aug 29)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 29)