[Snort-users] ICMP Packets.

larosa, vjay larosa_vjay at ...3331...
Mon Aug 26 18:38:02 EDT 2002


Yeah we were pretty sure that this is some sort of JPEG information
in the ICMP packet. I have seen some other activity between
ports 88 and 1107 as well with the hosts involved in the ICMP
conversations. I did manage to come across another post somewhere
else talking about this same kind of activity, this was the post.

http://cert.uni-stuttgart.de/archive/intrusions/2002/05/msg00430.html

If anybody else has any helpful insight it would be appreciated. Thanks!

vjl



-----Original Message-----
From: Skip Carter [mailto:skip at ...1552...]
Sent: Monday, August 26, 2002 9:20 PM
To: larosa, vjay
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ICMP Packets. 



> Anybody recognize this payload? It is part of an ICMP packet. I have
> searched google 
> and haven't found any reason why I would see this data in an ICMP echo
> packet. 
> Awfull suspicous....
> 
> vjl
> 
> FF D8 FF FE 00 08 57 41 4E 47 32 02 FF E0 00 10   ......WANG2.....
> 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB   JFIF.....`.`....
> 00 43 00 10 0B 0C 0E 0C 0A 10 0E 0D 0E 12 11 10   .C.............

   The JFIF is part of the header information in a JPEG image file.
  If somebody is really tunneling image files through an ICMP connection
  that is definitely not good (who knows what else is moving that way).




-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            














More information about the Snort-users mailing list