Snort mailing list archives

Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..

From: Jeff Kell <jeff-kell () utc edu>
Date: Wed, 31 Dec 2003 22:47:25 -0500



Earlier I wrote:

Brice B wrote:
 Chris,
would you mind telling us how you set it to alert only internalCyberkit/Nachi ping attempts? Did you use thresholding?
Can anyone verify the [non]existance of a difference between theCyberkit and Nachi pings? Not having Cyberkit myself, I can onlyaddress Nachi. The frame is 106 bytes on the wire, 92 bytes in the IPpacket, and 64 bytes of 0xaa in the ICMP data payload.

I just captured a packet with Snort that was flagged as Cyberkit and itdiffers from the classic Nachi packet -- the data payload is 68 bytesand the last 4 bytes are nulls:

#(1 - 55391) [2003-12-31 21:52:18] [arachNIDS/154] [snort/483]

> ICMP PING CyberKit 2.2 Windows

IPv4: 218.22.67.12 -> xxx.xx.xxx.xxx
      hlen=5 TOS=0 dlen=96 ID=0 flags=0 offset=0 TTL=108 chksum=3011
ICMP: type=Echo Request code=0
      checksum=20776 id= seq=
Payload:  length = 68

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
040 : 00 00 00 00                                       ....

The classic Nachi pings are 64 bytes in length, and all 0xAA. I don'tget Nachi pings anymore since they are blocked by our border routers.This one got through because the length didn't match Nachi.

So... is this really a Cyberkit ping? And if so, can't someone a bitmore experienced with signatures create revised signatures that willdifferentiate between Cyberkit and Nachi?


Or, since Nachi is "supposed" to expire tomorrow, is it even worth it?

Jeff



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Brice B (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
  - Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
  - Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Dec 31)
    - Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jim Brown (Jan 03)
    - Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Jan 03)
- RE: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Chris N (Jan 02)
- <Possible follow-ups>
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Simon Smith (Dec 31)