Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Icmp Ping

From: cc <cc () belfordhk com>
Date: Fri, 19 Mar 2004 11:08:17 +0800
Jerry Shenk sighed and wrote::



What that traffic originating from one of your boxes or coming in?  I'd


The traffic is coming into the box and not out.  But
reading the links above, if the traffic is coming into the box and
that the traffic is actually a PONG (and not a PING), then does
that means it's actually responding to a Ping originating from
within the network?   Or did I misunderstand the last link?  I
had trouble understanding it and only kinda guessed the meaning.


give the related box a serious check.  First thought was a back door but
then the question is, "Why be so obvious?"  How long a period of time
did this traffic involve?  Is it still going on?



It's still going on.  And now, I've got another different Icmp response
with a payload of :-

000 : 37 FF 01 00 00 00 0B B8 00 03 D5 EB 4E EA B8 2D   7...........N..-
010 : 0E 74 6F 70 2D 36 30 30 31 2D 34 32 30 30 30 00   .top-6001-42000.
020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
030 : 00 00                                             ..

Does anyone recognize this kind of command?

Thanks

Edmund



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: