[Snort-users] ICMP PING Windows

Chris Keladis Chris.Keladis at ...2783...
Tue Nov 20 03:39:04 EST 2001


RAMALINGA Reddy wrote:

Hi Rali,

>         We are using snort on a linux box. There is one machine A which is
> trying an "ICMP PING Windows" on machine B. The number of times it attempted
> such a ping was 2450 in a span of 24 hours. The snort rule corresponding to
> this is checking for the following string in the content.
> content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"
> I suspect it to be a virus attack. Can anyone help ?

Doesn't appear to be anything unusual at first glance.

The 61, 62, 63 correspond to hex a, b, c (do a "man ascii" on your Linux
box to see a chart of hex values and their associated ascii
representations).

You really need more detail like the icmp_id, icmp_seq, perhaps the
packet size, etc etc to draw a more accurate picture.

I forget how the Snort rules are ordered but i'm sure most serious ICMP
abnormalities are reported on before being passed to the lower rules to
try and analyze the characteristics of the payload to identify the
source host type.

Could it simply be someone who forgot a continuous 'ping -t' running
over the course of a day?

If it becomes too annoying you can either drop the pings at your network
border(s), or use Snort's various features to ignore the pings and keep
them from filling up your alert logs, databases, etc.




Regards,

Chris.




More information about the Snort-users mailing list