[Snort-sigs] SID 385, 19 of 20
alexander.s at ...1565...
Mon Jun 9 09:50:41 EDT 2003
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP
classtype:attempted-recon; sid:385; rev:3;)
traceroute is a standard networking utility that determines the routers
that data will travel through enroute to a destination. This rule
indicates that a traceroute is being performed against one of the hosts
on your network, probably by a host running Microsoft Windows.
Can be used as a reconnaissance tool. Traceroute reveals information
about the layout of a network.
Traceroute works by sending an ICMP Echo Request packet to a destination
host with a TTL value of 1. If the host is more than one hop away, the
first route that receives the back will send back an ICMP packet
indicating that the TTL was exceeded. The address of this router is
then listed as the first hop. The packet is then sent out again with a
TTL of 2. This continues until the destination host is able to reply or
some maximum TTL value is reached. Unix implementations generally use
UDP packets sent to an ephemeral port rather than an ICMP Echo Request.
The TTL on the packet is decreased by 1 as it passes each router and
should have a TTL of 1 when it reaches the destination network.
Traceroute is often used against machines on a network prior to an
Ease of Attack:
This program is also used legitimately by users and/or network
administrators to troubleshoot problems.
ICMP packets can be blocked with a firewall.
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs