[Snort-sigs] Signature Definition #460, 5 of 20 and Signature Definition # 458

Jeff Nathan jeff at ...95...
Tue Jun 10 11:47:05 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Indeed :)

mangler):~/nemesis-1.4beta3/src$ 7: ./nemesis icmp help

ICMP Packet Injection -=- The NEMESIS Project Version 1.4beta3 (Build 21)

ICMP Usage:
  icmp [-v (verbose)] [options]

ICMP options:
  -i <ICMP type>
  -c <ICMP code>
  -s <ICMP sequence number>
  -m <IP address mask for ICMP address mask>
  -G <Preferred gateway IP address for ICMP redirect>
  -e <ICMP ID>
  -P <Payload file>
  -q <ICMP injection mode>
     -qE echo, -qM mask, -qU unreach, -qX time exceeded,
     -qR redirect, -qT timestamp

I'll hping does the same if not more.

- -Jeff

- --On Tuesday, June 10, 2003 6:05 -0400 "Esler, Joel  Contractor" 
<EslerJ at ...785...> wrote:

> So there is no hacker tool that can craft packets like that? I beg to
> differ.
>
> J
>
> -----Original Message-----
> From: Steven Alexander [mailto:alexander.s at ...1565...]
> Sent: Monday, June 09, 2003 2:58 PM
> To: Esler, Joel Contractor; snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] Signature Definition #460, 5 of 20 and
> Signature Definition # 458
>
>
> The corrective action will not work.  An ICMP packet of type 2 is not a
> ping.  Also, pings are not connection oriented.  You can block echo
> request or echo replies but most(all?) firewalls will not monitor
> outgoing icmp echo requests to determine which echo replies are
> legitimate.
>
> ICMP types 1 and 2 are unassigned and not used by an vulnerability
> scanner or hacker tool that I know of. If this packet shows up on your
> network it is most likely a corrupted packet and possibly the result of
> a malfunctioning device.  It could also be the result of a TCP/IP
> implementation that uses one of these unassigned types for it's own
> non-standard purposes.
>
> -steven alexander
>
> -----Original Message-----
> From: Esler, Joel Contractor [mailto:EslerJ at ...785...]
> Sent: Monday, June 09, 2003 5:06 AM
> To: 'snort-sigs at lists.sourceforge.net'
> Subject: [Snort-sigs] Signature Definition #460, 5 of 20
>
>
>  Rule: -- ICMP Unassigned! (Type 2)
>  Sid: -- 460
>  Summary: -- This string detects and ICMP type of "2".
>  Impact: -- Unknown
>  Detailed Information: -- Certain scanners and hacker tools will allow
> you to specifically craft ICMP types of 2, this could be an indication
> of a vulnerability on your network, or an attacker crafting very
> specific packets to sneak past outer defensive perimeters.  Affected
> Systems: -- Unknown  Attack Scenarios: -- Could be used for
> reconnasaince, (Scanning tools)  Ease of Attack: -- Difficult  False
> Positives: -- Unknown  False Negatives: -- Unknown  Corrective Action:
> -- Disallow ICMP Ping inbound at the router or firewall, only allow
> incoming if requested from inside the network.
>  Contributors: -- Joel Esler
>  Additional References:
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+5idpEqr8+Gkj0/0RAn3TAJoCLs3ijIQDl/ZdI0GTOYonZ86z4wCgoY3E
5gQ798ssNWGLeinONrNoGh4=
=LBBt
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list