Snort mailing list archives
Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
From: Jeff Kell <jeff-kell () utc edu>
Date: Wed, 31 Dec 2003 22:47:25 -0500
Earlier I wrote:
Brice B wrote: Chris,would you mind telling us how you set it to alert only internal Cyberkit/Nachi ping attempts? Did you use thresholding?Can anyone verify the [non]existance of a difference between the Cyberkit and Nachi pings? Not having Cyberkit myself, I can only address Nachi. The frame is 106 bytes on the wire, 92 bytes in the IP packet, and 64 bytes of 0xaa in the ICMP data payload.
I just captured a packet with Snort that was flagged as Cyberkit and it differs from the classic Nachi packet -- the data payload is 68 bytes and the last 4 bytes are nulls:
#(1 - 55391) [2003-12-31 21:52:18] [arachNIDS/154] [snort/483]
> ICMP PING CyberKit 2.2 Windows
IPv4: 218.22.67.12 -> xxx.xx.xxx.xxx hlen=5 TOS=0 dlen=96 ID=0 flags=0 offset=0 TTL=108 chksum=3011 ICMP: type=Echo Request code=0 checksum=20776 id= seq= Payload: length = 68 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 040 : 00 00 00 00 ....
The classic Nachi pings are 64 bytes in length, and all 0xAA. I don't get Nachi pings anymore since they are blocked by our border routers. This one got through because the length didn't match Nachi.
So... is this really a Cyberkit ping? And if so, can't someone a bit more experienced with signatures create revised signatures that will differentiate between Cyberkit and Nachi?
Or, since Nachi is "supposed" to expire tomorrow, is it even worth it? Jeff ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Brice B (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jim Brown (Jan 03)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Jan 03)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- RE: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Chris N (Jan 02)
- <Possible follow-ups>
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Simon Smith (Dec 31)