[Snort-sigs] Signature Definition #460, 5 of 20 and Signature Definition # 458
alexander.s at ...1565...
Mon Jun 9 11:59:07 EDT 2003
The corrective action will not work. An ICMP packet of type 2 is not a
ping. Also, pings are not connection oriented. You can block echo
request or echo replies but most(all?) firewalls will not monitor
outgoing icmp echo requests to determine which echo replies are
ICMP types 1 and 2 are unassigned and not used by an vulnerability
scanner or hacker tool that I know of. If this packet shows up on your
network it is most likely a corrupted packet and possibly the result of
a malfunctioning device. It could also be the result of a TCP/IP
implementation that uses one of these unassigned types for it's own
From: Esler, Joel Contractor [mailto:EslerJ at ...785...]
Sent: Monday, June 09, 2003 5:06 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Signature Definition #460, 5 of 20
Rule: -- ICMP Unassigned! (Type 2)
Sid: -- 460
Summary: -- This string detects and ICMP type of "2".
Impact: -- Unknown
Detailed Information: -- Certain scanners and hacker tools will allow
you to specifically craft ICMP types of 2, this could be an indication
of a vulnerability on your network, or an attacker crafting very
specific packets to sneak past outer defensive perimeters. Affected
Systems: -- Unknown Attack Scenarios: -- Could be used for
reconnasaince, (Scanning tools) Ease of Attack: -- Difficult False
Positives: -- Unknown False Negatives: -- Unknown Corrective Action:
-- Disallow ICMP Ping inbound at the router or firewall, only allow
incoming if requested from inside the network.
Contributors: -- Joel Esler
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs