[Snort-sigs] sig for recent massive ICMP scans

SoloNet Newsfeed newsfeed at ...1411...
Thu Sep 25 13:44:12 EDT 2003


I don't know if everybody else has been receiving the amount of ICMP 
traffic scans we have been (noticed on mutiple sensors and different 
ISPs) But they were triggering on false  CyberKit rules. Here's a sig 
I'm working on that seems to match this particular issue. The 
recommendation from the CyberKit rule on snort.org for blocking certain 
ICMP traffic works liek a charm, but if you're determined to weed these 
folks out, here's the sig, comments are welcome.

I've seen that the packet size is always 106 bytes, this payload are is 
always 64. They scan the next netblock after hitting the .10 and .50 IPs 
of the previous class C which is the actual target of the scan. Header 
size is also 20 bytes.

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
Scan Netblock (VIRUS?)";content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;) 







More information about the Snort-sigs mailing list