[Snort-sigs] sig for recent massive ICMP scans
newsfeed at ...1411...
Thu Sep 25 13:44:12 EDT 2003
I don't know if everybody else has been receiving the amount of ICMP
traffic scans we have been (noticed on mutiple sensors and different
ISPs) But they were triggering on false CyberKit rules. Here's a sig
I'm working on that seems to match this particular issue. The
recommendation from the CyberKit rule on snort.org for blocking certain
ICMP traffic works liek a charm, but if you're determined to weed these
folks out, here's the sig, comments are welcome.
I've seen that the packet size is always 106 bytes, this payload are is
always 64. They scan the next netblock after hitting the .10 and .50 IPs
of the previous class C which is the actual target of the scan. Header
size is also 20 bytes.
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
Scan Netblock (VIRUS?)";content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;)
More information about the Snort-sigs