[Snort-sigs] SID 372 (my contribution #7)
alexander.s at ...1565...
Mon Jun 9 09:41:06 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|";
itype:8; depth:32; reference:arachnids,155; sid:372;
ping is a standard networking utility that determines if a target host
is up. This rule indicates that the ping originated from a Windows
program that was written in Delphi.
Can be used as a reconnaissance tool.
ping sends an ICMP Echo Request packet to an IP address. If a host is
up at that address it will reply with an ICMP Echo Reply. The reply
includes the data portion of the echo packet. The data included in the
Echo Request varies across different implementations.
An attacker will often ping a machine to make sure it is up before
Ease of Attack:
This program is also used legitimately by users and/or network
administrators to troubleshoot problems. It is possible to emulate this
ping signature using another ping utility.
ICMP packets can be blocked with a firewall.
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs