[Snort-users] Large ICMP packets

jess at ...521... jess at ...521...
Fri Sep 29 09:48:58 EDT 2000


	Hi!

	I posted this in the Discussion Forums (before I subscribed this
list), but I'm afraid people don't access them very often...

	Well, this is my question. I'm frequently receiving 'Large ICMP
packet' snort alerts, which seem to correspond to echo requests with a
payload of 1472 '0's.

	Does anybody know what's the originating OS and why it sends them
(if it's some sort of load balancing mechanism or anything, I mean)?

	By the way, does anyone know of any reference where we can find 
ICMP behaviours (and by extension, TCP/UDP)? I mean, I know that the
payload of an ICMP ping message depends on the OS, that the Destination
Unreachable ICMP packets include a portion of the original one, and that
portion depends on the OS, ... Basically, what I'm asking for is passive
fingerprinting info. I've got a couple of references (like Lance Spitner's
web page or the Fyodor paper on NMAP, but I'm looking for something more
specific and complete. Has anyone done such a research?

	Cheers,

								JESS 





More information about the Snort-users mailing list