[Snort-sigs] Re: ICMP PING speedera - Hacker Tool?

George Bakos gbakos at ...487...
Fri Apr 19 18:05:02 EDT 2002


Rob,
The Snort signature that is firing is merely matching on the binary 
content of a ping message:

msg:"ICMP PING speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100

which translates into "89:;<=>?" within the first 100 bytes.

A 64 byte ping from a Linux 2.4.x box will fire the rule, as will any 
other OS that uses the ASCII table to fill its ping content, as long as 
the size of the message is large enough to hit that part of the character 
set.

And yes, pings do often precede attacks.

On 3 Apr 2002 at 8:28, thus spake Robert Wagner:

> One little bit of followup -> It appears that there may be a hacker tool
> that uses a speedera type of packet to identify systems.  I would
> recommend starting to capture some of this traffic for further analysis. 
> I noticed this traffic:
> 
> Apr  1 03:40:54 mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP}
> 65.69.8.140 -> me Apr  1 03:47:28 mydomain portsentry[3845]: attackalert:
> SYN/Normal scan from host:
> adsl-65-69-8-140.dsl.hstntx.swbell.net/65.69.8.140 to TCP port: 445
> 
> NOTE: true speedera doesn't originate from DSL servers!!!
> 
> Apr  1 03:47:29 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:3185 me:445 L=48 S=0x00 I=5230 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:31 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:1025 me:139 L=48 S=0x00 I=5285 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:31 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:3187 me:139 L=48 S=0x00 I=5287 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:35 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:3185 me:445 L=48 S=0x00 I=5338 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:37 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:1025 me:139 L=48 S=0x00 I=5354 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:37 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:3187 me:139 L=48 S=0x00 I=5369 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:49 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:3224 me:80 L=48 S=0x00 I=5501 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:52 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:3224 me:80 L=48 S=0x00 I=5542 F=0x4000 T=118 SYN (#1)
> Apr  1 03:47:58 mydomain kernel: Packet log: input DENY eth0 PROTO=6
> 65.69.8.140:3224 me:80 L=48 S=0x00 I=5579 F=0x4000 T=118 SYN (#1)
> 
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Apr  3 02:20:07 mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP}
> 65.69.8.140 -> me Apr  3 02:20:07 mydomain kernel: Packet log: input DENY
> eth0 PROTO=1 65.69.8.140:8 me:0 L=65 S=0x00 I=33194 F=0x0000 T=118 (#4)
> Apr  3 02:20:13 mydomain kernel: Packet log: input DENY eth0 PROTO=1
> 65.69.8.140:8 me:0 L=65 S=0x00 I=33470 F=0x0000 T=118 (#4) Apr  3 02:20:13
> mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP} 65.69.8.140 ->
> me Apr  3 02:20:18 mydomain kernel: Packet log: input DENY eth0 PROTO=1
> 65.69.8.140:8 me:0 L=65 S=0x00 I=33702 F=0x0000 T=118 (#4) Apr  3 02:20:18
> mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP} 65.69.8.140 ->
> me
> 
> NOTE:  Speedera typically doesn't send multiple packets - I believe it is
> one per from several different hosts.
> 
> I believe this is good speedera traffic:
> Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification:
> Misc activity] [Priority: 3]: {ICMP} 208.185.54.14 -> mydns Mar 11
> 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
> activity] [Priority: 3]: {ICMP} 209.10.58.124 -> mydns Mar 11 08:12:52 me
> snort: [1:480:2] ICMP PING speedera [Classification: Misc activity]
> [Priority: 3]: {ICMP} 64.0.96.12 -> mydns Mar 11 08:12:52 me snort:
> [1:480:2] ICMP PING speedera [Classification: Misc activity] [Priority:
> 3]: {ICMP} 63.123.77.194 -> mydns Mar 11 08:12:52 me snort: [1:480:2] ICMP
> PING speedera [Classification: Misc activity] [Priority: 3]: {ICMP}
> 205.158.108.194 -> mydns Mar 11 08:12:52 me snort: [1:480:2] ICMP PING
> speedera [Classification: Misc activity] [Priority: 3]: {ICMP}
> 204.176.88.5 -> mydns Mar 11 08:12:52 me snort: [1:480:2] ICMP PING
> speedera [Classification: Misc activity] [Priority: 3]: {ICMP}
> 64.14.117.10 -> mydns Mar 11 08:12:52 me snort: [1:480:2] ICMP PING
> speedera [Classification: Misc activity] [Priority: 3]: {ICMP} 213.61.6.2
> -> mydns Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera
> [Classification: Misc activity] [Priority: 3]: {ICMP} 209.68.217.194 ->
> mydns Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera
> [Classification: Misc activity] [Priority: 3]: {ICMP} 212.62.17.145 ->
> mydns Mar 11 08:16:34 me snort: [1:480:2] ICMP PING speedera
> [Classification: Misc activity] [Priority: 3]: {ICMP} 212.0.126.130 ->
> mydns
> 
> 
> -----Original Message-----
> From: Robert Wagner 
> Sent: Tuesday, April 02, 2002 9:39 AM
> To: 'ramos at ...442...'; snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] ICMP PING speedera
> 
> 
> Annoying traffic.  Several websites use a service called speedera.  When
> you visit the website, the speedera service pings you to determine the
> fastest server to respond to you.  Thus providing the customer with a fast
> website response (and several pings).  You can do a Google search for
> speedera to get more technical information.  It looks kind of like a basic
> Ping attack because you get pinged from a dozen or so servers.
> 
> -----Original Message-----
> From: ramos at ...442... [mailto:ramos at ...442...]
> Sent: Tuesday, April 02, 2002 6:39 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] ICMP PING speedera
> 
> 
> Hi Community!!!
> 
> Anybody knows something about ICMP PING speedera?
> 
> Best regards,
> Rodrigo Ramos
> 
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 

-- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakos at ...487...
voice 	603-646-0665
fax	603-646-0666





More information about the Snort-sigs mailing list