[Snort-users] Re:A new type of ICMP packet

Phil Wood cpw at ...440...
Tue May 29 00:55:48 EDT 2001


On Mon, May 28, 2001 at 09:12:32PM -0400, Matt Scarborough wrote:
> On Fri, 25 May 2001 10:11:30 -0600, Phil Wood  wrote:
> 
> >Eight unknown ICMP's left my establishment last night at 1 second intervals.
> 
> ICMP payload 3f3f 3f3f with TTL 10 indicate Napster. But ICMP code and type
> 0254 do not.
> 
> Then again, if that is ICMP Id 666 (029a) other things may be afoot.
> 
> Could you post tcpdump -X so nothing may be lost in the conversion?

It's the MNOPQRST seqeuence!  %^) 

19:43:27.524954 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  5e01ba0b  0a000736  d10c4bcc : E     @ ^      6  K  :
  024d0020  029a0001  3f3f3f3f  00000000  00000000 :  M      ????         :
  00000000  0000                                   :                      :
19:43:28.684491 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  5201c60b  0a000736  d10c4bcc : E     @ R      6  K  :
  024e0020  029a0001  3f3f3f3f  00000000  00000000 :  N      ????         :
  00000000  0000                                   :                      :
19:43:29.722691 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  4601d20b  0a000736  d10c4bcc : E     @ F      6  K  :
  024f0020  029a0001  3f3f3f3f  00000000  00000000 :  O      ????         :
  00000000  0000                                   :                      :
19:43:30.870075 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  3a01de0b  0a000736  d10c4bcc : E     @ :      6  K  :
  02500020  029a0001  3f3f3f3f  00000000  00000000 :  P      ????         :
  00000000  0000                                   :                      :
19:43:32.040454 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  2e01ea0b  0a000736  d10c4bcc : E     @ .      6  K  :
  02510020  029a0001  3f3f3f3f  00000000  00000000 :  Q      ????         :
  00000000  0000                                   :                      :
19:43:33.168850 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  2201f60b  0a000736  d10c4bcc : E     @ "      6  K  :
  02520020  029a0001  3f3f3f3f  00000000  00000000 :  R      ????         :
  00000000  0000                                   :                      :
19:43:34.359758 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  1601020c  0a000736  d10c4bcc : E     @        6  K  :
  02530020  029a0001  3f3f3f3f  00000000  00000000 :  S      ????         :
  00000000  0000                                   :                      :
19:43:35.443925 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  0a010e0c  0a000736  d10c4bcc : E     @        6  K  :
  02540020  029a0001  3f3f3f3f  00000000  00000000 :  T      ????         :
  00000000  0000                                   :                      :
> 
> Matt Scarborough 2001-05-29
> 
> >  They all looked like this:
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 32             |
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >  | Identification = 48669        | |D| | Fragment Offset = 0     |
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >  |    TTL=10     | Protocol = 1  | Header Checksum = 3596        |
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >  | Source Address  = 10.0.7.54                                |
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >  | Destination Address  = 209.12.75.204                          |
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >      RFC792: INTERNET CONTROL MESSAGE PROTOCOL, September 1981
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >  | Type = 2      | Code = 84     | Checksum = 32                 |
> >  | Unknown Type/Code                                             |
> >  :  029a0001  3f3f3f3f  00000000  00000000    :     ????         :
> >  :  00000000  0000                            :                  :
> >  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >
> >Anyone seeing these?  Snort sees them as "ICMP Unassigned! (Type 2)".
> 
> ____________________________________________________________________
> Get free email and a permanent address at http://www.amexmail.com/?A=1
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list