[Snort-devel] icmpspoof preprocessor for snort

John Papapanos jpa3nos at ...1264...
Tue Apr 22 03:22:07 EDT 2003

Hello dear people,


For some time now I've been working on a preprocessor for Snort. The result is spp_icmpspoof.

This preprocessor is able to detect Spoofed ICMP ECHO Request/Reply packets that 

may exist in the inbound and outbound traffic of the network protected by snort.

Furthermore it can detect inbound/outbound packets that are generated as an answer to a spoofed ICMP ECHO Request/Reply that took place in your internal traffic or someone outside your network sent somewhere else by spoofing your IP address. 


It detects spoofing when someone outside your network sends spoofed packets to someone outside or inside your network, spoofed packets sent from inside your network and other spoofing scenarios.


Every time a spoofed packet is detected an alert is generated as well as a probable

case scenario describing the role and location of every host that took part in the

spoofing process. 

Read the attached README file for more info.


It was tested on a Linux RedHat 7.3 box on a snort-1.9.1 and snort-2.0.0 distribution. Some minor changes need to be done for snort-1.8.7. 

I have not tested it thoroughly, but it seems to work just fine.


This preprocessor could be a way of detecting Covert Channels, Decoy Traffic, Scanning-Network Mapping, OS fingerprinting, DDoS attacks and other attacks that make use of spoofed ICMP ECHO packets. 


There is still work to be done and more features to be added for the future.  


Please feel free to test it and post me your comments on this and don't hesitate to ask me any questions. I'm very interested in your feedback. 


The preprocessor's files can also be found at:





John Papapanos (Internet Systematics Lab).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030422/03dd8cc2/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030422/03dd8cc2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icmpspoof-v1.1.tar.gz
Type: application/x-gzip
Size: 13271 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030422/03dd8cc2/attachment.bin>

More information about the Snort-devel mailing list