[Snort-users] stacheldraht server-spoof

Fernando Cardoso fernando at ...498...
Fri Nov 3 12:02:52 EST 2000

For some days I'm receiving snort alerts regarding stacheldraht server-spoof
packets. The origin is always different and they haven't any kind of pattern
(a couple of US universities, Portuguese and Spanish dial-up users, Dutch
cable users, AOL users). The packets all have a data portion beggining with
3F 3F 3F 3F (most of them 3F 3F 3F 3F 50). The destiny address is always one
of my masqueraded intranet IPs.

[**] IDS193/stacheldraht server-spoof [**]
11/03-12:54:00.023854  cable.user.nl-> intranet.masqueraded.IP
ICMP TTL:244 TOS:0x0 ID:24155  DF
ID:666   Seq:1  ECHO
3F 3F 3F 3F 50 10 22 38 26 2F 00 00 01 01 08 0A  ????P."8&/......
01 9A                                            ..

[**] IDS193/stacheldraht server-spoof [**]
11/03-13:17:49.998303 dial-up.user.pt -> intranet.masqueraded.IP
ICMP TTL:237 TOS:0xA0 ID:53826  DF
ID:666   Seq:1  ECHO
3F 3F 3F 3F 50 11 7D 78 17 6E 00 00 02 04 05 B4  ????P.}x.n......
01 01                                            ..

Any thoughts of what this would be? I understand why snort is logging them:
they all have a ID of 666. But it is "normal" a ICMP echo request having
those 3F 3F 3F 3F in the beggining? 

The snort rule I'm using is : 
alert ICMP any any -> any any (msg: "IDS193/stacheldraht server-spoof";
itype: 8; icmp_id: 666;)



Fernando Cardoso              Phone:   +351 21 7982186
Network Administrator         Fax:     +351 21 7982185
National Library              E-mail:  fernando at ...498...
Portugal                      PGP ID:  28551CB8 

More information about the Snort-users mailing list