[Snort-users] large icmp

Ofir Arkin ofir at ...64...
Thu Nov 23 15:28:35 EST 2000


Well, this one was discussed over and over :)

You can look at the payload of the datagram.
All lovely zeros.

For a match for PMTU discovery using ICMP Echo Requests you need:
DF Bit is set
Payload of zeros
Size of datagram (this will be in Ethernet case, well nearly all cases total
of 1500 bytes).

I think this should be tuned, so other signatures with ICMP can be tuned as
well.


I am going to do some work on the issues I have introduced with my research
and put the applicable snort rules
in the database soon.


Ofir Arkin  [ofir at ...64...]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Founder
http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Martin Roesch
Sent: Thursday, November 23, 2000 7:58 AM
To: chganser at ...811...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] large icmp


The large ICMP packets are frequently Path MTU Discovery packets from
various
operating systems.  Check the list archives at Sourceforge for more
information on them.

Without seeing the DDOS packet logs it's hard to say what you got....

    -Marty

"Ch. Ganser" wrote:
>
> hi
>
> i am new to snort and new to all this network (security) stuff.
>
> i newly installed snort, with the visions-rule-set and snortsnarf for
> analysing the logs.
>
> know i see many large icmp from one machine and stacheldraht
> server-spoof from another one.
>
> the undefined lage icmp echo-packets go to 6 different hosts.
>
> in all packets look like this (useing ngrep -x "*" icmp):
> 9a bc de f0 00 00 00 00    00 00 00 00 00 00 00 00    ................
> -- 91 lines like this one
> 00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
> -- and
> 00 00 00 00                                           ....
>
> what kind of program creates these packages? i could not find any useful
> information on the net. as much as i know the box is a power mac g4.
>
> the ddos-stacheldraht server-spoof has one source (internal) and 116
> external targets.
>
> are these normal signs?
>
> thanks and bye
>
> christoph
>
> --
> Christoph Ganser
> Zuerich, Switzerland
> PGP http://www.uplink.ethz.ch/~chganser/pgp_keys.asc
> Mobile: +41 76 580 72 90
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list