[Snort-sigs] 10 documented Signatures

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 15:19:07 EDT 2003


> Rules:
>  alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
> content:  "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
> reference:arachnids,311; classtype:attempted-recon;  sid:466; rev:1;)


Can we change this rule to be "ICMP L3retreiver ICMP ECHO"
I know most of the rules in the database state 'PING' instead of echo.


> --
> Sid:
>  466
> --
> Summary:
>  This is a packet which if seen means someone is using the L3retiever
> software to map your network through ping  packets.


'...... through icmp echo packets. (ICMP type 8)'

> --
> Impact:
>  Recon information and network mapping
> --
> Detailed Information:
>  Specifically marked ping packets used to map a network by seeing who
> responds to ICMP pings.

 '... to ICMP echo with ICMP echo-response'

> --
> Affected Systems:
>  All that answer for PING

'.. for ICMP echo requests'.

> --
> Attack Scenario:
>  scripted information gathering such as VA teams
> --
> Ease of Attack:
>  scripted attack - easy
> --
> False Positives:
>  none
> --
> False negatives:
>  none
> --
> Corrective Action:
>  investigate source of probes
> --
> Contributors:
>  Jake Babbin
> --
> References:
>  arachnids 311
>


I would replace ICMP PING packets throughout this rule with ICMP ECHO...

-Dan



>
>
> Rule:
>  alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold
> Windows"; content:"|5768 6174 7355 7020  2d20 4120 4e65
> 7477|";itype:8;depth:32; reference:arachnids,168; sid:482;
> classtype:misc-activity; rev:2;)
> --
> Sid:
>  482
> --
> Summary:
>  This is a packet which if seen means that someone is using the Windows
> Mapping and Monitoring tool What's Up Gold to  monitor or probe the network.
>
> --
> Impact:
>  Recon information and network mapping
> --
> Detailed Information:
>  Specifically marked Ping packets which is used to map a network again by
> seeing who responds to ICMP ping packets.
> --
> Affected Systems:
>  All who answer for PING
> --
> Attack Scenario:
>  automated scripted network recon such as Net Ops or VA teams
> --
> Ease of Attack:
>  scripted attack - easy
> --
> False Positives:
>  none
> --
> False Negatives:
>  none
> --
> Corrective Action:
>  investigate source of probes
> --
> Contributors:
>  Jake Babbin
> --
> References:
>  arachnids 168
>
>
> Rule:
>  alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2
> Windows";  content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
> reference:arachnids,154; sid:483;  classtype:misc-activity; rev:2;)
> --
> Sid:
>  483
> --
> Summary:
>  This is an ICMP packet which if seen means that someone is using the
> windows tool CyberKit to probe the network.
> --
> Impact:
>  Recon information and network mapping
> --
> Detailed Information:
> Specifically marked ping packets used to map a network through ICMP Pings
> --
> Affected Systems:
>  All who answer for PING
> --
> Attack Scenarios:
>  Automated network recon such as Net Ops or VA teams
> --
> Ease of Attack:
>  Scripted attack - easy
> --
> False Positives:
>  some HP openview polling has been know to trigger this rule
> --
> False Negatives:
>  none
> --
> Corrective Action:
>  investigate source of probes
> --
> Contributors:
>  Jake Babbin
> --
> References:
>  arachnids 154
>
>

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list