[Snort-users] ICMP Packets.

Skip Carter skip at ...1552...
Mon Aug 26 18:21:02 EDT 2002


> Anybody recognize this payload? It is part of an ICMP packet. I have
> searched google 
> and haven't found any reason why I would see this data in an ICMP echo
> packet. 
> Awfull suspicous....
> 
> vjl
> 
> FF D8 FF FE 00 08 57 41 4E 47 32 02 FF E0 00 10   ......WANG2.....
> 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB   JFIF.....`.`....
> 00 43 00 10 0B 0C 0E 0C 0A 10 0E 0D 0E 12 11 10   .C.............

   The JFIF is part of the header information in a JPEG image file.
  If somebody is really tunneling image files through an ICMP connection
  that is definitely not good (who knows what else is moving that way).




-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            















More information about the Snort-users mailing list