[Snort-sigs] Snort signature

Johan Augustsson johan.augustsson at ...458...
Wed Mar 20 18:53:03 EST 2002


Since I wrote the rule once apon the time I feel like I have a responsibility
to submit a signature.  :)

I put in a tcpdump as well.


Rule: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan
echo"; content:"|0000000000000000|";itype: 8; dsize:8;
classtype:attempted-recon; sid:474; rev:1;)


Sid: 474


Summary: ICMP Echo Request from the Windowsbased scanner SuperScan


Impact: If your host returns an ICMP Echo Reply it confirms its
existence.


Detailed Information: SuperScan is a Windowsbased scanner from
Foundstone and is free to use. As default the scanner sends an ICMP Echo
Request before starting the scan. This ICMP packet has a special payload
of eight (8) bytes, all the number zero (0). This scanner is fairly
popular among Windows users.


Attack Scenarios: Recon


Ease of Attack: Easy


False Positives: Some other tools other then SuperScan may generate a
packet just like this. If so, it's still not a normal ICMP Echo Request.


False Negatives: N/A


Corrective Action: 


Contributors: Johan Augustsson johan.augustsson at ...458... Initial
Research

 
Additional References: http://www.foundstone.com/



Johan Augustsson

--------------------------------------------------------------
Johan Augustsson           Phone: +46 (0)31 773 5361
Incident Response Team     Fax: +46 (0)31 773 1087
Göteborg University        E-mail: Johan.Augustsson at ...458...
Sweden
--------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_sig.tcpdump
Type: application/octet-stream
Size: 100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020320/b6f4d98b/attachment.obj>


More information about the Snort-sigs mailing list