[Snort-users] Re: A new type of ICMP packet

Matt Scarborough vexversa at ...770...
Tue May 29 04:21:30 EDT 2001


On Mon, 28 May 2001 22:55:48 -0600, Phil Wood wrote:
>On Mon, May 28, 2001 at 09:12:32PM -0400, Matt Scarborough wrote:
>> On Fri, 25 May 2001 10:11:30 -0600, Phil Wood  wrote:
>> 
>> >Eight unknown ICMP's left my establishment last night at 1 second
intervals.
>> 
>> ICMP payload 3f3f 3f3f with TTL 10 indicate Napster. But ICMP code and
type
>> 0254 do not.
>> 
>> Then again, if that is ICMP Id 666 (029a) other things may be afoot.
>> 
>> Could you post tcpdump -X so nothing may be lost in the conversion?
>
>It's the MNOPQRST seqeuence!  %^) 

OK. Close though. FWIW anyhow
http://archives.neohapsis.com/archives/incidents/2001-02/0329.html

>19:43:27.524954 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
>  45000020  be1d4000  5e01ba0b  0a000736  d10c4bcc : E     @ ^      6  K  :
>  024d0020  029a0001  3f3f3f3f  00000000  00000000 :  M      ????         :
>  00000000  0000                                   :                      :
>19:43:28.684491 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
>  45000020  be1d4000  5201c60b  0a000736  d10c4bcc : E     @ R      6  K  :
>  024e0020  029a0001  3f3f3f3f  00000000  00000000 :  N      ????         :
>  00000000  0000     

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1




More information about the Snort-users mailing list