Re: normal vs. malicious icmp echo

[Matt Kettler <mkettler () evi-inc com>]

At 11:25 PM 5/5/2004, Mario Guerendo wrote:
> I just wanted to know if anybody had a snort rule available that would
> differentiate a normal ICMP echo ping from a malicious one?

And what difference would you expect there to be?

Do you expect them to be RFC 3514 compliant???
http://www.faqs.org/rfcs/rfc3514.html

A ping is a network diagnostic probe. It provides information about network 
timing and if hosts are up or not. Normal vs malicious is a difference in 
how that information is used, and not a difference in the packet.

Snort's default ruleset has a lot of rules to detect what program generated 
an icmp echo, but knowing what tool made the packet (windows "ping", nmap, 
whatsup gold, superscan, etc) won't tell you if the packet is malicious or 
not. And let's face it, from a standpoint of a hacker, what format the ping 
packet is completely irrelevant, so they can make it look like a windows 
ping, or whatever else they want.






-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users