[Snort-sigs] Signature Definition #462, 6 of 20

Esler, Joel Contractor EslerJ at ...785...
Tue Jun 10 03:20:02 EDT 2003

Okay, correction...  

Corrective Action:  Disallow all ICMP at the router.  Drop it.

-----Original Message-----
From: Steven Alexander [mailto:alexander.s at ...1565...]
Sent: Monday, June 09, 2003 3:00 PM
To: Esler, Joel Contractor; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Signature Definition #462, 6 of 20

My earlier post also applies to this entry.

"The corrective action will not work.  An ICMP packet of type 2 is not a
ping.  Also, pings are not connection oriented.  You can block echo
request or echo replies but most(all?) firewalls will not monitor
outgoing icmp echo requests to determine which echo replies are

ICMP types 1 and 2 are unassigned and not used by an vulnerability
scanner or hacker tool that I know of. If this packet shows up on your
network it is most likely a corrupted packet and possibly the result of
a malfunctioning device.  It could also be the result of a TCP/IP
implementation that uses one of these unassigned types for it's own
non-standard purposes. 

-steven alexander"

-----Original Message-----
From: Esler, Joel Contractor [mailto:EslerJ at ...785...] 
Sent: Monday, June 09, 2003 5:07 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Signature Definition #462, 6 of 20

 Rule: -- ICMP Unassigned! (Type 7)  
 Sid: -- 462
 Summary: -- This string detects and ICMP type of "7".
 Impact: -- Unknown
 Detailed Information: -- Certain scanners and hacker tools will allow
you to specifically craft ICMP types of 7, this could be an indication
of a vulnerability on your network, or an attacker crafting very
specific packets to sneak past outer defensive perimeters.  Affected
Systems: -- Unknown  Attack Scenarios: -- Could be used for
reconnasaince, (Scanning tools)  Ease of Attack: -- Difficult  False
Positives: -- Unknown  False Negatives: -- Unknown  Corrective Action:
-- Disallow ICMP Ping inbound at the router or firewall, only allow
incoming if requested from inside the network.
 Contributors: -- Joel Esler
 Additional References: 

This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list