[Snort-sigs] Questions about Snort Alerts
alexander.s at ...1565...
Tue Jul 8 16:26:01 EDT 2003
ID:17337 is the IP identifcation field and ID:43444 is the ICMP identification field. The ID field in the IP header is used to reassemble packets that get fragmented. The ID field in the ICMP header is used in ECHO packets to match a reply with a corresponding request. Both fields can be used in snort rules, the following is taken from the Snort user's manual:
This option keyword is used to test for an exact match in the IP header fragment ID field. Some hacking tools (and other programs) set this field specifically for various purposes, for example the value 31337 is very popular with some hackers. This can be turned against them by putting a simple rule in place to test for this and some other hacker numbers.
The icmp_id option examines an ICMP ECHO packet's ICMP ID number for a specific value. This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to enable the stacheldraht detection rules written by Max Vision, but it is certainly useful for detection of a number of potential attacks.
I hope this helps.
From: eric [mailto:eric at ...1659...]
Sent: Friday, July 04, 2003 9:52 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Questions about Snort Alerts
There is an alert in the following:
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
07/04-13:46:26.915559 192.168.53.19 -> 188.8.131.52
ICMP TTL:124 TOS:0x0 ID:17337 IpLen:20 DgmLen:60
Type:8 Code:0 ID:43444 Seq:768 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
I would like to ask what the the ID (ID:43444) means? Please reply me what you feel free. Thank you.
梁颖培 / 数据通讯部 Eric / DATA & COMMUNICATION DEPT.
新力宽频网络有限公司 (www.sunly.com) Sunly Broadband Network Co. LTD (www.sunly.com)
电话:0757-2223088 传真:0757-2226088 Tel:0757-2223088 Fax:0757-2226088
电子邮件: eric at ...1659... E-mail: eric at ...1659...
More information about the Snort-sigs