[Snort-sigs] ICMP PING Cisco Type.x (supposedly ios 9.x) documentation
daniel uriah clemens
daniel_clemens at ...842...
Wed Jul 9 14:55:01 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert icmp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"ICMP PING Cisco Type.x"; \
reference:arachnids,153; sid:371; classtype:misc-activity; rev:4;)
This event indicates an icmp echo request originating from the common
utility known as 'ping'.
This event in nature is in its natural state is used to measure the health
and or availability of an ip protocol on a network connected device
through the use of an icmp echo request.
The perverse use of the icmp echo request could indicate an attacker
trying to map your network by seeing what hosts respond and what type of
response is generated from these hosts to perform remote operating system
This particular event indicates the icmp echo request appears to be
originating from a Cisco based network operating system version 9.x.
In a natural state the impact of this event indicates an attempt to
request the availability of a host, while in a paranoid mindset this could
be viewed as a precursor to an upcoming attack.
The information we are looking for in this icmp echo request
"|abcdabcdabcdabcdabcdabcdabcdabcd|" with the maximum depth of 32 bytes
in the icmp payload.
any system with a ip stack
could be used by tools like nemesis,hping2,or nmap
Ease of Attack:
Daniel Uriah Clemens dan.clemens at ...1661...
http://www.whitehats.com arachnids 153
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
More information about the Snort-sigs