[Snort-sigs] ICMP Echo Reply

Gisli Helgason Gisli at ...281...
Thu Jan 24 01:17:09 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: ICMP Echo Reply

--
Sid: 408

--
Summary: ICMP Echo Reply was sent to a host on your network.

--
Impact:  If it is part of a DOS attack it will consume bandwidth and may
possibly crash or impact performance of your hosts.  If it is used as a
control channel for a backdoor trojan your host may have been compromised.

--
Detailed Information: ICMP echo reply are used to test network connectivity
and are normally seen on all networks.  ICMP echo reply can be used to
control backdoor trojans by hiding data in the payload of the packet.  Large
amounts of ICMP echo reply may indicate you are the victim of a DOS attack.

--
Attack Scenarios:

--
Ease of Attack:  Causing a DOS using ICMP echo reply is simple using
applications like nmap that can forge the source address of a packet.  Most
trojans will have a frontend that will generate the packets automatically.

--
False Positives: ICMP echo reply is used extensively to test network
connectivity it will show up on most networks.

--
False Negatives:

--
Corrective Action:  Verify that the packet was not malicious, and
investigate blocking certain types of ICMP traffic at your firewall.  

--
Contributors:  Gisli Helgason mailto:gh1304 at ...12...

-- 
Additional References:




More information about the Snort-sigs mailing list