[Snort-users] large icmp

Martin Roesch roesch at ...421...
Thu Nov 23 00:57:50 EST 2000


The large ICMP packets are frequently Path MTU Discovery packets from various
operating systems.  Check the list archives at Sourceforge for more
information on them.  

Without seeing the DDOS packet logs it's hard to say what you got....

    -Marty

"Ch. Ganser" wrote:
> 
> hi
> 
> i am new to snort and new to all this network (security) stuff.
> 
> i newly installed snort, with the visions-rule-set and snortsnarf for
> analysing the logs.
> 
> know i see many large icmp from one machine and stacheldraht
> server-spoof from another one.
> 
> the undefined lage icmp echo-packets go to 6 different hosts.
> 
> in all packets look like this (useing ngrep -x "*" icmp):
> 9a bc de f0 00 00 00 00    00 00 00 00 00 00 00 00    ................
> -- 91 lines like this one
> 00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
> -- and
> 00 00 00 00                                           ....
> 
> what kind of program creates these packages? i could not find any useful
> information on the net. as much as i know the box is a power mac g4.
> 
> the ddos-stacheldraht server-spoof has one source (internal) and 116
> external targets.
> 
> are these normal signs?
> 
> thanks and bye
> 
> christoph
> 
> --
> Christoph Ganser
> Zuerich, Switzerland
> PGP http://www.uplink.ethz.ch/~chganser/pgp_keys.asc
> Mobile: +41 76 580 72 90
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list