[Snort-users] MISC Large ICMP Packet

Fernando Cardoso fernando.cardoso at ...965...
Fri Apr 6 04:32:46 EDT 2001

Suspicious, but probably benign. I would add to your list MTU discovery by
HP/UX and AIX boxes. Possibly the Brearley box you saw in your logs would be
one of this systems. As I remember, the payload would be all zeros.


Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso at ...965...     http://www.whatevernet.com/

> I've seen similar things, I suspect that these are probes from a
> couple of
> possible places:
> - content distribution networks (akamai and the like)
> - caching networks (squid)
> - ad networks (doubleclick and the like)
> Most of the time when I saw these the source address turned out
> to be part of
> the address space of one of the above.
> However I noticed the source address on this on was part of a
> netblock owned
> by the brearley school in new york. So it's sort of suspicious....
> --
> roel
> Silicon Defense: Technical Support for Snort!
> http://www.SiliconDefense.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply

More information about the Snort-users mailing list