[Snort-users] ICMP Packets.

Rich Adamson radamson at ...2127...
Tue Aug 27 01:28:03 EDT 2002


> > Anybody recognize this payload? It is part of an ICMP packet. I have
> > searched google and haven't found any reason why I would see this 
> > data in an ICMP echo packet. 
> > Awfull suspicous....
> > 
> > FF D8 FF FE 00 08 57 41 4E 47 32 02 FF E0 00 10   ......WANG2.....
> > 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB   JFIF.....`.`....
> > 00 43 00 10 0B 0C 0E 0C 0A 10 0E 0D 0E 12 11 10   .C.............
> 
>    The JFIF is part of the header information in a JPEG image file.
>   If somebody is really tunneling image files through an ICMP connection
>   that is definitely not good (who knows what else is moving that way).

Another possibility is an application that is communicating license
data. The old Chameleon IP stack from NetManage.com use to do something
like that. They embeded their coded serial number in an icmp packet 
and sent it to a broadcast address. All other copies of their software
listened for the coded icmp, and if the serial number matched, disabled
the software since it was an illegal copy.

Are the source and destination addresses within your network?





More information about the Snort-users mailing list