[Snort-users] Faulty identification of ping host type

Tom Whipp twhipp at ...63...
Mon Jul 24 12:09:01 EDT 2000


Hi all,

	I was doing some network troubleshooting today and as part of that used a
host which we remote admin to launch some pings.  This host is without a
doubt a Solaris 2.6 installation - however Snort has reported it as a BSD
machine... I can only see a BSD rule in the rules base (no Solaris
versions).

Here is the rule in question and the packet trace.

alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS152 - PING BSD";
content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8;
depth: 32;)

[**] IDS152 - PING BSD [**]
07/24-11:49:57.462441 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
ICMP TTL:235 TOS:0x0 ID:12096  DF
ID:7629   Seq:1  ECHO
39 7C 11 4B 00 09 DF B5 08 09 0A 0B 0C 0D 0E 0F  9|.K............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

Unfortunatly I don't have BSD machine to compare against so can anybody tell
me if the packets are identical or if there is an offset (or something) that
could be used to classify these a little more closely.  If not I'll just
modify my rulebase to flag these as a BSD/Solaris packet.

cheers

	Tom

PS:
The originating host in question is behind a static NAT'ing firewall
(fw-1) - I'm 99.999% sure that this doesn't matter but I thought I'd mention
it just in case.





More information about the Snort-users mailing list