[Snort-users] A new type of ICMP packet

Ofir Arkin ofir at ...949...
Fri May 25 16:18:08 EDT 2001


Phil,

Type 2 is unassigned.
TTL=10 is suspicious as well.

I have seen the "3f3f3f3f " pattern some where before...
But I fail to remember where and why.

Ofir Arkin [ofir at ...949...]
Founder
The Sys-Security Group
http://www.sys-security.com

----- Original Message -----
From: "Phil Wood" <cpw at ...440...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, May 25, 2001 6:11 PM
Subject: [Snort-users] A new type of ICMP packet


>
> Folks,
>
> Eight unknown ICMP's left my establishment last night at 1 second
intervals.
> They all looked like this:
>
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>   | VER=4 | IHL=5 | ROU | | | | | | Total Length = 32             |
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>   | Identification = 48669        | |D| | Fragment Offset = 0     |
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>   |    TTL=10     | Protocol = 1  | Header Checksum = 3596        |
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>   | Source Address  = 10.0.7.54                                |
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>   | Destination Address  = 209.12.75.204                          |
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>       RFC792: INTERNET CONTROL MESSAGE PROTOCOL, September 1981
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>   | Type = 2      | Code = 84     | Checksum = 32                 |
>   | Unknown Type/Code                                             |
>   :  029a0001  3f3f3f3f  00000000  00000000    :     ????         :
>   :  00000000  0000                            :                  :
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
> Anyone seeing these?  Snort sees them as "ICMP Unassigned! (Type 2)".
>
> Thanks,
>
> Phil
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list