[Snort-users] Re:A new type of ICMP packet

Chris Green cmg at ...671...
Tue May 29 11:33:41 EDT 2001


Matt Scarborough <vexversa at ...770...> writes:

> On Fri, 25 May 2001 10:11:30 -0600, Phil Wood  wrote:
> 
> >Eight unknown ICMP's left my establishment last night at 1 second intervals.
> 
> ICMP payload 3f3f 3f3f with TTL 10 indicate Napster. But ICMP code and type
> 0254 do not.
> 
> Then again, if that is ICMP Id 666 (029a) other things may be afoot.

Check to see  if your src addy is a macintosh running napster.  There
seems to be a napster client for macs that has that icmpid ( check the
archives for futher info )
-- 
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-users mailing list