Snort mailing list archives
Re: normal vs. malicious icmp echo
From: Milo Velimirovic <milov () uwlax edu>
Date: Thu, 6 May 2004 14:52:18 -0500
The OP asked a legitimate question. It is quite possible to embed data in the payload of an ICMP packet. To suggest that there is no difference between ordinary and malicious ICMP packets except for the way in which they are put to use really underestimates the capabilities and/or the creativity of the dark side.
It's possible to use ICMP echo request/reply packets to create a communication channel, for example nemesis-icmp. Also our friends at Phrack and their project Loki.
Last I checked there is an entry in the icmp rules to detect nemesis but not any that identify themselves as detecting loki.
--Milo On May 6, 2004, at 10:50 AM, Matt Kettler wrote:
At 11:25 PM 5/5/2004, Mario Guerendo wrote:I just wanted to know if anybody had a snort rule available that would differentiate a normal ICMP echo ping from a malicious one?And what difference would you expect there to be? Do you expect them to be RFC 3514 compliant??? http://www.faqs.org/rfcs/rfc3514.htmlA ping is a network diagnostic probe. It provides information about network timing and if hosts are up or not. Normal vs malicious is a difference in how that information is used, and not a difference in the packet.Snort's default ruleset has a lot of rules to detect what program generated an icmp echo, but knowing what tool made the packet (windows "ping", nmap, whatsup gold, superscan, etc) won't tell you if the packet is malicious or not. And let's face it, from a standpoint of a hacker, what format the ping packet is completely irrelevant, so they can make it look like a windows ping, or whatever else they want.------------------------------------------------------- This SF.Net email is sponsored by Sleepycat SoftwareLearn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Milo Velimirović <milov "at" uwlax "dot" edu> Unix Computer Network Administrator University of Wisconsin - La Crosse La Crosse, Wisconsin 54601 USA 43 48 05 N 91 14 22 W There are 10 different types of people in the world. Those who can read binary and those who can't. ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- normal vs. malicious icmp echo Mario Guerendo (May 05)
- Re: normal vs. malicious icmp echo Erik Fichtner (May 05)
- Re: normal vs. malicious icmp echo Matt Kettler (May 06)
- Re: normal vs. malicious icmp echo Milo Velimirovic (May 06)