[Snort-sigs] Signature Definition #460, 5 of 20 and Signature Definition # 458

Steven Alexander alexander.s at ...1565...
Mon Jun 9 11:59:07 EDT 2003

The corrective action will not work.  An ICMP packet of type 2 is not a
ping.  Also, pings are not connection oriented.  You can block echo
request or echo replies but most(all?) firewalls will not monitor
outgoing icmp echo requests to determine which echo replies are

ICMP types 1 and 2 are unassigned and not used by an vulnerability
scanner or hacker tool that I know of. If this packet shows up on your
network it is most likely a corrupted packet and possibly the result of
a malfunctioning device.  It could also be the result of a TCP/IP
implementation that uses one of these unassigned types for it's own
non-standard purposes. 

-steven alexander

-----Original Message-----
From: Esler, Joel Contractor [mailto:EslerJ at ...785...] 
Sent: Monday, June 09, 2003 5:06 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Signature Definition #460, 5 of 20

 Rule: -- ICMP Unassigned! (Type 2)  
 Sid: -- 460
 Summary: -- This string detects and ICMP type of "2".
 Impact: -- Unknown
 Detailed Information: -- Certain scanners and hacker tools will allow
you to specifically craft ICMP types of 2, this could be an indication
of a vulnerability on your network, or an attacker crafting very
specific packets to sneak past outer defensive perimeters.  Affected
Systems: -- Unknown  Attack Scenarios: -- Could be used for
reconnasaince, (Scanning tools)  Ease of Attack: -- Difficult  False
Positives: -- Unknown  False Negatives: -- Unknown  Corrective Action:
-- Disallow ICMP Ping inbound at the router or firewall, only allow
incoming if requested from inside the network.
 Contributors: -- Joel Esler
 Additional References: 

This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list