[Snort-users] large icmp

Ch. Ganser christoph.ganser at ...824...
Tue Nov 21 04:02:13 EST 2000


hi 

i am new to snort and new to all this network (security) stuff. 

i newly installed snort, with the visions-rule-set and snortsnarf for
analysing the logs.

know i see many large icmp from one machine and stacheldraht
server-spoof from another one.

the undefined lage icmp echo-packets go to 6 different hosts.

in all packets look like this (useing ngrep -x "*" icmp):
9a bc de f0 00 00 00 00    00 00 00 00 00 00 00 00    ................
-- 91 lines like this one
00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
-- and
00 00 00 00                                           ....

what kind of program creates these packages? i could not find any useful
information on the net. as much as i know the box is a power mac g4.

the ddos-stacheldraht server-spoof has one source (internal) and 116
external targets.

are these normal signs?

thanks and bye


christoph

--
Christoph Ganser
Zuerich, Switzerland
PGP http://www.uplink.ethz.ch/~chganser/pgp_keys.asc
Mobile: +41 76 580 72 90



More information about the Snort-users mailing list