[Snort-sigs] ICMP PING BeOS4.x Documentation

daniel uriah clemens daniel_clemens at ...842...
Wed Jul 9 14:48:13 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$


alert icmp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"ICMP PING BeOS4.x"; \
content:"|00000000000000000000000008090a0b|"; itype:8;depth:32; \
reference:arachnids,151; sid:370; classtype:misc-activity; rev:4;)


This event indicates an icmp echo request originating from the common
utility known as 'ping'.

This event in nature is in its natural state is used to measure the health
and or availability of an ip protocol on a network connected device
through the use of an icmp echo request.

The perverse use of the icmp echo request could indicate an attacker
trying to map your network by seeing what hosts respond and what type of
response is generated from these hosts to perform remote operating system

This particular event indicates the icmp echo request appears to be
originating from a BeOS4(ish) operating system.


In a natural state the impact of this event indicates an attempt to
request the availability of a host, while in a paranoid mindset this could
be viewed as a precursor to an upcoming attack.

Detailed Information:

The information we are looking for in this icmp echo request
 "|00000000000000000000000008090a0b|" with the maximum depth of 32 bytes
in the icmp payload.

Affected Systems:
any system with a ip stack.

Attack Scenarios:

Normal use:
ping remote.host.ip
Hostile use:
could be used by tools like nemesis,hping2,or nmap

Ease of Attack:

False Positives:

False Negatives:

Corrective Action:

Daniel Uriah Clemens dan.clemens at ...1661...

Additional References:
http://www.whitehats.com arachnids 151

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD

More information about the Snort-sigs mailing list