Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Strange ICMP Log

From: "Ron Shuck" <rshuck () Buchanan com>
Date: Tue, 22 Apr 2003 15:11:54 -0500
Hi,

Earlier, I sent the email below regarding ICMP not using the correct
signature. After some testing I have found that it has to do with the
rule application order. If I use the '-o' or the statement 'config
order: pass alert log', the problem exists. If the standard order is
used, all works as expected.

--------------------------Original
Email---------------------------------
I had a large number of ICMP alerts that appear to me to be the wrong
signature. They were all some type of "undefined code or type" ICMP
alert. This started sometime after upgrading to Snort 2.0. The sample
below is from ACID v0.9.6b23 and the tcpdump of the snort packet capture
file. I am running Snort 2.0.0 (build 72) on Red Hat 7.3 with a default
icmp-info.rules v 1.12.

I find no reason this should not have triggered one of the other ICMP
rules. It does have a type of 8 and a code of 0. It does seem odd that
there is no ID or Seq. Number values, but that should not have impacted
the rule.

Any ideas on this would be greatly appreciated.

----------------------------ACID------------------------------
Meta
ID #       Time                Triggered Signature 
30 - 54604 2003-04-22 08:07:24 [snort] ICMP PING (Undefined Code!) 
 
Sensor name interface filter 
sensor      eth1      none  
 
Alert
Group   none  
 
IP  source addr   dest addr   Ver Hdr Len TOS length ID    flags offset
TTL chksum 
205.227.136.40    68.98.203.7 4   5       128 64     58485 0     0
50  15954 
 
Options     none  
 
ICMP  type       code  checksum id seq # 
(8) Echo Request (0) 0 49872   
 
Payload   length = 36

000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
020 : 00 00 00 00                                       ....

-----------------------TCPDUMP---------------------------

08:07:24.103304 205.227.136.40 > 68.98.203.7: icmp: echo request [tos
0x80]
0x0000   4580 0040 e475 0000 3201 3e52 cde3 8828        E..@.u..2.>R...(
0x0010   4462 cb07 0800 c2d0 352f 0000 0000 0000        Db......5/......
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................


Thanks,


Ron Shuck, CISSP, GCIA - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org
http://www.giac.org

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: