[Snort-users] large icmp
ofir at ...64...
Thu Nov 23 15:28:35 EST 2000
Well, this one was discussed over and over :)
You can look at the payload of the datagram.
All lovely zeros.
For a match for PMTU discovery using ICMP Echo Requests you need:
DF Bit is set
Payload of zeros
Size of datagram (this will be in Ethernet case, well nearly all cases total
of 1500 bytes).
I think this should be tuned, so other signatures with ICMP can be tuned as
I am going to do some work on the issues I have introduced with my research
and put the applicable snort rules
in the database soon.
Ofir Arkin [ofir at ...64...]
Senior Security Analyst
Chief of Grey Hats
"Opinions expressed do not necessarily
represent the views of my employer."
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Martin Roesch
Sent: Thursday, November 23, 2000 7:58 AM
To: chganser at ...811...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] large icmp
The large ICMP packets are frequently Path MTU Discovery packets from
operating systems. Check the list archives at Sourceforge for more
information on them.
Without seeing the DDOS packet logs it's hard to say what you got....
"Ch. Ganser" wrote:
> i am new to snort and new to all this network (security) stuff.
> i newly installed snort, with the visions-rule-set and snortsnarf for
> analysing the logs.
> know i see many large icmp from one machine and stacheldraht
> server-spoof from another one.
> the undefined lage icmp echo-packets go to 6 different hosts.
> in all packets look like this (useing ngrep -x "*" icmp):
> 9a bc de f0 00 00 00 00 00 00 00 00 00 00 00 00 ................
> -- 91 lines like this one
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> -- and
> 00 00 00 00 ....
> what kind of program creates these packages? i could not find any useful
> information on the net. as much as i know the box is a power mac g4.
> the ddos-stacheldraht server-spoof has one source (internal) and 116
> external targets.
> are these normal signs?
> thanks and bye
> Christoph Ganser
> Zuerich, Switzerland
> PGP http://www.uplink.ethz.ch/~chganser/pgp_keys.asc
> Mobile: +41 76 580 72 90
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
roesch at ...421...
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users