Snort mailing list archives

large icmp packets with embedded jpegs

From: cmcauley () coresecure com
Date: Thu, 9 Jan 2003 10:43:08 -0500

With snort setup installed at a client location we have discovered icmp packets 
triggering snort's "large icmp packet" rule.  These packets have a similar, if 
not the same, structure to what is discussed in these links:

archives:
http://marc.theaimsgroup.com/?l=snort-users&m=103064802326192&w=2
http://marc.theaimsgroup.com/?l=snort-users&m=103771074015725&w=2

and this research:
http://www.wfu.edu/~steinsj5/work/icmp.html

there is a little more info out in the net but provides no further information.

is there anymore information as to what these could be?  Is this really normal 
traffic to be seeing on a win2k/XP network?  Curious minds want to know.

Chuck McAuley
Coresecure, Inc.


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

large icmp packets with embedded jpegs cmcauley (Jan 09)