[Snort-users] Re: Name that tool: 91 suspicious ICMP_ECHO (fwd)

John Pettitt jpp at ...230...
Mon Aug 7 17:56:25 EDT 2000


That confirms what I've been seeing - when we send mail to some hosts 
(acm.org is a good example) we get a large ICMP warning.  In each case nmap 
reports an aix or hp/ux box on the other end.

John

At 01:31 PM 08/07/2000, Lance Spitzner wrote:
>Several of us have been discussing false postives with
>large-icmp warning by snort.  Christine Hoepers has helped
>identify a possible source, AIX 4.3.3 Path MTU discovery.
>See her information below. Thanks Christine!  :)
>
>Lance Spitzner
>http://www.enteract.com/~lspitz/papers.html
>
>---------- Forwarded message ----------
>Date: Mon, 7 Aug 2000 17:18:47 -0300
>From: Cristine Hoepers <cristine at ...275...>
>To: Lance Spitzner <lance at ...185...>
>Subject: Re: Name that tool: 91 suspicious ICMP_ECHO
>
>Hi,
>
>I saw the answer today in http://www.enteract.com/~lspitz/scan4.txt and
>I have some comments.
>
>In our case we have talked with the admin of the ofending machine and
>he has confirmed to us that the machine was an AIX 4.3.3 with those
>MTU options.
>
>Then we performed serveral tests and confirmed that if those options are
>set to ``0'' instead ``1'', the machine stopped sending these ICMP
>packets.
>
>Regarding the comment about the ttl, here are the result of a ping
>and a SMTP connection to that AIX machine. All tests/logs were produced
>by a machine 7 hops away from the offending machine.
>
>[ttl 255, icmp]
>
>$ ping offending.host.br
>PING offending.host.br (a.b.c.23): 56 data bytes
>64 bytes from a.b.c.23: icmp_seq=0 ttl=248 time=49.593 ms
>64 bytes from a.b.c.23: icmp_seq=1 ttl=248 time=63.091 ms
>
>[ttl 60, tcp/udp]
>
>16:37:05.611379 offending.host.br.smtp > my.host.br.cadkey-licman: S 
>3823698817:3823698817(0) ack 4109119424 win 16384 <mss 512> (ttl 53, id 22168)
>
>
>And here are our snort logs with the large icmp packets:
>
>[**] IDS246/large-icmp [**]
>05/30-12:54:03.877648 a.b.c.23 -> x.y.z.2
>ICMP TTL:249 TOS:0x0 ID:46492  DF
>ID:0   Seq:0  ECHO
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>
>
>Regards,
>Cristine
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>http://lists.sourceforge.net/mailman/listinfo/snort-users


John Pettitt                                     Email: jpp at ...230...

"...'just say no' has done as much for drugs and sex as 'have a nice day' 
has for depression." -- Dr. E. Tyson, Texas Medical Association

PGP keys on MIT & pgp.com servers.
Fingerprint: 81B5 446D 3E0E 1CDE 5A45  644A A744 54C4 7886 3658





More information about the Snort-users mailing list