[Snort-users] Large ICMP packets

Martin Roesch roesch at ...421...
Mon Oct 2 14:24:28 EDT 2000

This looks like HP-UX/AIX Path MTU dicovery packets, which other people have
talked about at length here.  One of them came from apple.com.... :-/


jess at ...521... wrote:
>         Hi!
>         I posted this in the Discussion Forums (before I subscribed this
> list), but I'm afraid people don't access them very often...
>         Well, this is my question. I'm frequently receiving 'Large ICMP
> packet' snort alerts, which seem to correspond to echo requests with a
> payload of 1472 '0's.
>         Does anybody know what's the originating OS and why it sends them
> (if it's some sort of load balancing mechanism or anything, I mean)?
>         By the way, does anyone know of any reference where we can find
> ICMP behaviours (and by extension, TCP/UDP)? I mean, I know that the
> payload of an ICMP ping message depends on the OS, that the Destination
> Unreachable ICMP packets include a portion of the original one, and that
> portion depends on the OS, ... Basically, what I'm asking for is passive
> fingerprinting info. I've got a couple of references (like Lance Spitner's
> web page or the Fyodor paper on NMAP, but I'm looking for something more
> specific and complete. Has anyone done such a research?
>         Cheers,
>                                                                 JESS
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list