Snort mailing list archives
RE: Strange ICMP packets from windows machines
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 19 Nov 2002 07:39:00 -0500
I also reported this activity a few months ago. In my spare time (what little I have) I have been trying to isolate a system sending these packets to examine it further. If you have any ideas I would be interested talking with you. vjl -----Original Message----- From: Juergen Schmidt [mailto:ju () ct heise de] Sent: Tuesday, November 19, 2002 6:14 AM To: snort-users () lists sourceforge net Cc: ps () ct heise de Subject: [Snort-users] Strange ICMP packets from windows machines Hello, I got two independent reports, about Windows machines sending large ICMP echo requests. The weird thing about them is, that they seem to contain a JPEG image with a microsoft logo as payload (fragmented over two packets) The packet characteristics are: ICMP, Type 0 (echo request), size > 2000 Byte One report can be found at: http://www.wfu.edu/~steinsj5/work/icmp.html I haven't seen those packets myself yet. Has anybody else observed something similar? thanks in advance, juergen -- Juergen Schmidt Leitender Redakteur/senior editor c't magazin Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju () ct heise de ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange ICMP packets from windows machines Juergen Schmidt (Nov 19)
- <Possible follow-ups>
- RE: Strange ICMP packets from windows machines larosa, vjay (Nov 19)