[Snort-sigs] About Sid:466

Fabrice Rafart fabrice.rafart at ...2225...
Wed Feb 11 09:19:41 EST 2004


Hello,

Rule:

--
Sid: 466

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

I have some ICMP L3retriever Ping in my log from my PC to my Domain
Controlers. My snort don't run in promiscuous mode, so the IP isn't forged.
I don't have L3 "Retriever 1.5" security scanner on my PC.

This link confirme my idea :

http://www.whitehats.com/info/IDS311
In fasle positive part :
"This type of ICMP ping seems to be also generated by (plain) Win2K host
talking to Win2K domain controllers." --nnposter

Here the capture of one packet :

Frame 4 (74 bytes on wire, 74 bytes captured)
    Arrival Time: Feb 11, 2004 09:30:46.011174000
    Time delta from previous packet: 12.519350000 seconds
    Time relative to first packet: 85.369697000 seconds
    Frame Number: 4
    Packet Length: 74 bytes
    Capture Length: 74 bytes
Ethernet II, Src: 00:02:a5:ab:36:23, Dst: 00:09:6b:40:ce:ce
    Destination: 00:09:6b:40:ce:ce (Ibm_40:ce:ce)
    Source: 00:02:a5:ab:36:23 (CompaqCo_ab:36:23)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.56.200.20 (10.56.200.20), Dst Addr:
10.56.200.30 (10.56.200.30)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 60
    Identification: 0x9778
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: ICMP (0x01)
    Header checksum: 0xfea5 (correct)
    Source: 10.56.200.20 (10.56.200.20)
    Destination: 10.56.200.30 (10.56.200.30)
Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0
    Checksum: 0xcf5b (correct)
    Identifier: 0x0200
    Sequence number: 86:02
    Data (32 bytes)

0000  00 09 6b 40 ce ce 00 02 a5 ab 36 23 08 00 45 00   ..k at ...2226...#..E.
0010  00 3c 97 78 00 00 80 01 fe a5 0a 38 c8 14 0a 38   .<.x.......8...8
0020  c8 1e 00 00 cf 5b 02 00 86 02 41 42 43 44 45 46   .....[....ABCDEF
0030  47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56   GHIJKLMNOPQRSTUV
0040  57 41 42 43 44 45 46 47 48 49                     WABCDEFGHI

--
False Negatives:

--
Corrective Action:

--
Contributors:

--
Additional References:

--
Fabrice Rafart
Administrateur systèmes et réseaux





More information about the Snort-sigs mailing list