[Snort-sigs] ICMP PING BayRS Router documentation

daniel uriah clemens daniel_clemens at ...842...
Wed Jul 9 14:32:05 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any
 (msg:"ICMP PING BayRS Router"; itype: 8;\
 content:"|0102030405060708090a0b0c0d0e0f|"; depth:32;\
 reference:arachnids,438; reference:arachnids,444; sid:369; \
 classtype:misc-activity; rev:4;)


--
Sid:
438
--
Summary:

This event indicates an icmp echo request originating from the common
utility known as 'ping'.

This event in nature is in its natural state is used to measure the health
and or availability of an ip protocol on a network connected device
through the use of an icmp echo request.

The perverse use of the icmp echo request could indicate an attacker
trying to map your network by seeing what hosts respond and what type of
response is generated from these hosts to perform remote operating system
identification.

This particular event indicates the icmp echo request appears to be
originating from a BayRS Router.


--
Impact:

In a natural state the impact of this event indicates an attempt to
request the availability of a host, while in a paranoid mindset this could
be viewed as a precursor to an upcoming attack.


--
Detailed Information:

The information we are looking for in this icmp echo request
 "|0102030405060708090a0b0c0d0e0f|" with the maximum depth of 32 bytes in
the icmp payload.


--
Affected Systems:
any system with a ip stack

--
Attack Scenarios:

Normal use:
ping remote.host.ip
Hostile use:
could be used by tools like nemesis,hping2,or nmap

--
Ease of Attack:
simple

--
False Positives:

--
False Negatives:

--
Corrective Action:

--
Contributors:
Daniel Uriah Clemens dan.clemens at ...1661...

-- 
Additional References:
http://www.whitehats.com arachnids 438

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list