[Snort-devel] decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive?

Bram bram-fabeg at ...3414...
Wed Sep 18 15:31:36 EDT 2013


Hi,


Sorry for the late reply, got caught up in some other stuff.

I do not know how ICMPv6 is handle... my experience with IPv6 in  
general is too limited...


Best regards,

Bram


Quoting Victor Roemer <vroemer at ...402...>:

> Bram,
>
> I'm not surprised to see this behavior, though that doesn't mean its
> appropriate. Do you know if ICMPv6 is handled the same way?
>
> I think it would be more useful to have individual alerts for "deprecated",
> "reserved" etc.. I'll open a bug to address this annoyance.
>
> Thanks
>
> On Wed, Sep 4, 2013 at 9:10 AM, Bram <bram-fabeg at ...3414...> wrote:
>
>> Hi,
>>
>>
>> When should snort generate the 'DECODE_ICMP4_TYPE_OTHER' alert?
>> Currently the alert is generated for some ICMP types that are defined by
>> IANA and for which an RFC exist.
>>
>> Looking at the code shows that a list of 'known' (src/decode.h) ICMP types
>> is used and that the alert is generated for all other ICMP types.
>>
>> The question tho: based on what was this list created?
>> I see two options:
>> * All defined ICMP types - at the time the code was written - were added
>> * A subset of the defined ICMP types were added
>>
>> Personally I would expect to see the 'DECODE_ICMP4_TYPE_OTHER' for ICMP
>> types that are completely unknown (not assigned by IANA/no RFC).
>>
>> But: there appears to be no documentation for this rule so I'm not sure
>> what the expected/correct behaviour is...
>>
>>
>> IANA list: http://www.iana.org/**assignments/icmp-parameters/**
>> icmp-parameters.xhtml<http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml>
>>
>> Known by snort (OK)
>> * Type 0 ? Echo Reply
>> * Type 3 ? Destination Unreachable
>> * Type 4 ? Source Quench (Deprecated)
>> * Type 5 ? Redirect
>> * Type 8 ? Echo
>> * Type 9 ? Router Advertisement
>> * Type 10 ? Router Selection
>> * Type 11 ? Time Exceeded
>> * Type 12 ? Parameter Problem
>> * Type 13 ? Timestamp
>> * Type 14 ? Timestamp Reply
>> * Type 15 ? Information Request (Deprecated)
>> * Type 16 ? Information Reply (Deprecated)
>> * Type 17 ? Address Mask Request (Deprecated)
>> * Type 18 ? Address Mask Reply (Deprecated)
>>
>> Unknown by snort:
>> * Type 6 ? Alternate Host Address (Deprecated)
>> * Type 30 ? Traceroute (Deprecated)
>> * Type 31 ? Datagram Conversion Error (Deprecated)
>> * Type 32 ? Mobile Host Redirect (Deprecated)
>> * Type 33 ? IPv6 Where-Are-You (Deprecated)
>> * Type 34 ? IPv6 I-Am-Here (Deprecated)
>> * Type 35 ? Mobile Registration Request (Deprecated)
>> * Type 36 ? Mobile Registration Reply (Deprecated)
>> * Type 37 ? Domain Name Request (Deprecated)
>> * Type 38 ? Domain Name Reply (Deprecated)
>> * Type 39 ? SKIP (Deprecated)
>> * Type 40 ? Photuris
>> * Type 41 ? ICMP messages utilized by experimental mobility protocols such
>> as Seamoby
>>
>> Other (OK)
>> * Type 1 ? Unassigned
>> * Type 2 ? Unassigned
>> * Type 7 ? Unassigned
>> * Type 19 ? Reserved (for Security)
>> * Types 20-29 ? Reserved (for Robustness Experiment)
>> * Types 42-252 ? Unassigned
>> * Type 253 ? RFC3692-style Experiment 1
>> * Type 254 ? RFC3692-style Experiment 2
>>
>>
>> I expect/expected an alert only for the 'Other' list..
>>
>>
>>
>> This was detected because an ICMP message with type 37 was received (and
>> an alert generated).
>> It is unknown what system generated that particular ICMP packet...
>>
>> Just for reference:
>>
>> config:
>>         dynamicpreprocessor directory /usr/lib/snort_**
>> dynamicpreprocessor/
>>         alert ( msg:"DECODE_ICMP4_TYPE_OTHER"; sid:418; gid:116; rev:1;
>> metadata:rule-type decode; )
>>         output alert_fast: stdout
>>
>> running it:
>>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r /tmp/icmp_37.cap 2>&1  2>&1 | grep 116
>>         07/21-15:29:41.473279  [**] [116:418:1] (snort_decoder) WARNING:
>> ICMP4 type other [**] [Priority: 0] {ICMP} 192.168.99.111 -> 10.10.10.10
>>
>> snort version:
>>         $ snort -V
>>            ,,_     -*> Snort! <*-
>>         o"  )~   Version 2.9.5.3 GRE (Build 132)
>>            ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/**snort-team<http://www.snort.org/snort/snort-team>
>>                    Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>                    Using libpcap version 1.3.0
>>                    Using PCRE version: 8.32 2012-11-30
>>                    Using ZLIB version: 1.2.8
>>
>>
>>
>> Best regards,
>>
>> Bram
>>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list