[Snort-sigs] ICMP PING *NIX documentation

daniel uriah clemens daniel_clemens at ...842...
Wed Jul 9 14:23:05 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$


alert icmp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"ICMP PING *NIX"; content:"|101112131415161718191a1b1c1d1e1f|";\
itype:8;depth:32; sid:366; classtype:misc-activity; rev:4;)


This event indicates an icmp echo request originating from the common
utility known as 'ping', from a unix based operating system.

This event in nature is in its natural state is used to measure the health
and or availability of an ip protocol on a network connected device
through the use of an icmp echo request.

The perverse use of the icmp echo request could indicate an attacker
trying to map your network by seeing what hosts respond and what type of
response is generated from these hosts to perform remote operating system

This particular event indicates the icmp echo request appears to be
originating from a unix based operating system.

If the host that this seems to be originating from is not a unix based
operating system then this could be a spoofed packet or something you may
want to look into as a possible attack.


In a natural state the impact of this event indicates an attempt to
request the availability of a host, while in an paranoid mindset this
could be viewed as a precursor to an upcoming attack.

Detailed Information:

The information we are looking for in this icmp echo request
"|101112131415161718191a1b1c1d1e1f |" with the maximum depth of 32 bytes
in the icmp payload.

Affected Systems:

Attack Scenarios:

Normal use:
ping remote.host.ip
Hostile use:
could be used by tools like nemesis,hping2,or nmap

Ease of Attack:

False Positives:

False Negatives:

Corrective Action:

Daniel Uriah Clemens dan.clemens at ...1661...

Additional References:

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD

More information about the Snort-sigs mailing list