[Snort-devel] decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive?

Bram bram-fabeg at ...3414...
Wed Sep 4 09:10:48 EDT 2013


Hi,


When should snort generate the 'DECODE_ICMP4_TYPE_OTHER' alert?
Currently the alert is generated for some ICMP types that are defined  
by IANA and for which an RFC exist.

Looking at the code shows that a list of 'known' (src/decode.h) ICMP  
types is used and that the alert is generated for all other ICMP types.

The question tho: based on what was this list created?
I see two options:
* All defined ICMP types - at the time the code was written - were added
* A subset of the defined ICMP types were added

Personally I would expect to see the 'DECODE_ICMP4_TYPE_OTHER' for  
ICMP types that are completely unknown (not assigned by IANA/no RFC).

But: there appears to be no documentation for this rule so I'm not  
sure what the expected/correct behaviour is...


IANA list:  
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

Known by snort (OK)
* Type 0 ? Echo Reply
* Type 3 ? Destination Unreachable
* Type 4 ? Source Quench (Deprecated)
* Type 5 ? Redirect
* Type 8 ? Echo
* Type 9 ? Router Advertisement
* Type 10 ? Router Selection
* Type 11 ? Time Exceeded
* Type 12 ? Parameter Problem
* Type 13 ? Timestamp
* Type 14 ? Timestamp Reply
* Type 15 ? Information Request (Deprecated)
* Type 16 ? Information Reply (Deprecated)
* Type 17 ? Address Mask Request (Deprecated)
* Type 18 ? Address Mask Reply (Deprecated)

Unknown by snort:
* Type 6 ? Alternate Host Address (Deprecated)
* Type 30 ? Traceroute (Deprecated)
* Type 31 ? Datagram Conversion Error (Deprecated)
* Type 32 ? Mobile Host Redirect (Deprecated)
* Type 33 ? IPv6 Where-Are-You (Deprecated)
* Type 34 ? IPv6 I-Am-Here (Deprecated)
* Type 35 ? Mobile Registration Request (Deprecated)
* Type 36 ? Mobile Registration Reply (Deprecated)
* Type 37 ? Domain Name Request (Deprecated)
* Type 38 ? Domain Name Reply (Deprecated)
* Type 39 ? SKIP (Deprecated)
* Type 40 ? Photuris
* Type 41 ? ICMP messages utilized by experimental mobility protocols  
such as Seamoby

Other (OK)
* Type 1 ? Unassigned
* Type 2 ? Unassigned
* Type 7 ? Unassigned
* Type 19 ? Reserved (for Security)
* Types 20-29 ? Reserved (for Robustness Experiment)
* Types 42-252 ? Unassigned
* Type 253 ? RFC3692-style Experiment 1
* Type 254 ? RFC3692-style Experiment 2


I expect/expected an alert only for the 'Other' list..



This was detected because an ICMP message with type 37 was received  
(and an alert generated).
It is unknown what system generated that particular ICMP packet...

Just for reference:

config:
	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
	alert ( msg:"DECODE_ICMP4_TYPE_OTHER"; sid:418; gid:116; rev:1;  
metadata:rule-type decode; )
	output alert_fast: stdout

running it:
	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/icmp_37.cap 2>&1  2>&1 | grep 116
	07/21-15:29:41.473279  [**] [116:418:1] (snort_decoder) WARNING:  
ICMP4 type other [**] [Priority: 0] {ICMP} 192.168.99.111 -> 10.10.10.10

snort version:
	$ snort -V
	   ,,_     -*> Snort! <*-
   	o"  )~   Version 2.9.5.3 GRE (Build 132)
	   ''''    By Martin Roesch & The Snort Team:  
http://www.snort.org/snort/snort-team
	           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
	           Using libpcap version 1.3.0
	           Using PCRE version: 8.32 2012-11-30
	           Using ZLIB version: 1.2.8



Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: icmp_37.cap
Type: application/octet-stream
Size: 82 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130904/348d82a7/attachment.obj>


More information about the Snort-devel mailing list