[Snort-users] Is this a valid traffic?

Skip Carter skip at ...1552...
Wed Apr 3 09:52:32 EST 2002


> This is an icmp packet. But I don't know if it's valid.
> Comments please. Thanks.
> 
> 04/02-23:48:49.573330 w.x.y.z -> 12.248.252.154
> ICMP TTL:226 TOS:0x0 ID:62326 IpLen:20 DgmLen:1500 DF
> Type:8  Code:0  ID:0   Seq:0  ECHO
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

> neil camara (neil at ...4898...) - cc{na|sa}, mcse - pgp 0x777777B2

  This is an echo request packet, the type generated by a 'ping' program.
  There are two unusual things about it:

	-- it is zero filled.  This is not necessarily suspicious; its just that since
           the payload of an echo request packet is not used, some OS's just 
send random
           data (whatever happened to be in the allocated memory block) and 
others zero
           fill it.  Because of this, the fact that it zero filled can be 
helpful in
           identifying the OS of the sending system.

 
        -- the packet size is 1500 bytes.   There is never any reason for an 
ICMP packet
           to be larger than 128 bytes.  So a packet this size may be part of 
an OS recon
           scan of your network (different OSs will respond differently to a 
large ICMP packet).


    These packets are pretty common.  I wouldn't worry about them unless the 
contained nonzero
    data (indicating a possible covert data channel), where extremely frequent 
(maybe a DOS attempt),
    or associated with other activity.


-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            















More information about the Snort-users mailing list