[Snort-sigs] Snort signature

Johan Augustsson johan.augustsson at ...458...
Wed Mar 20 18:53:03 EST 2002

Since I wrote the rule once apon the time I feel like I have a responsibility
to submit a signature.  :)

I put in a tcpdump as well.

Rule: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan
echo"; content:"|0000000000000000|";itype: 8; dsize:8;
classtype:attempted-recon; sid:474; rev:1;)

Sid: 474

Summary: ICMP Echo Request from the Windowsbased scanner SuperScan

Impact: If your host returns an ICMP Echo Reply it confirms its

Detailed Information: SuperScan is a Windowsbased scanner from
Foundstone and is free to use. As default the scanner sends an ICMP Echo
Request before starting the scan. This ICMP packet has a special payload
of eight (8) bytes, all the number zero (0). This scanner is fairly
popular among Windows users.

Attack Scenarios: Recon

Ease of Attack: Easy

False Positives: Some other tools other then SuperScan may generate a
packet just like this. If so, it's still not a normal ICMP Echo Request.

False Negatives: N/A

Corrective Action: 

Contributors: Johan Augustsson johan.augustsson at ...458... Initial

Additional References: http://www.foundstone.com/

Johan Augustsson

Johan Augustsson           Phone: +46 (0)31 773 5361
Incident Response Team     Fax: +46 (0)31 773 1087
Göteborg University        E-mail: Johan.Augustsson at ...458...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_sig.tcpdump
Type: application/octet-stream
Size: 100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020320/b6f4d98b/attachment.obj>

More information about the Snort-sigs mailing list