[Snort-users] (new?) worm or bot signature - echo request

Scott Nursten scottn at ...4526...
Mon Feb 4 15:06:04 EST 2002


What version of Snort is this? If it's 1.8.3, there were some problems with
the stream4 (I think) preprocessor which was allowing for some pretty
unbelievable packet mangling by the time it hit the log :) You packet looks
like a ICMP mangled with DHCP/BOOTP...!? I could be wrong, but I don't see
why DHCP info would be in an ICMP packet...!


Anyone else got any ideas?

Regards,

Scott Nursten

On 31/1/02 18:48, "Stephane Nasdrovisky" <stephane.nasdrovisky at ...4735...>
wrote:

> 
> I received a strange icmp packet. The payload contains
> SERVER Offered         | Offering: 192.168.0.31  To: 0030651278CF  By:19
> 
> (0030651278CF=207854139599=3014504474317(oct)=0.48.101.18.120.207  which
> doesn't mean anything for me)
> 
> A search on google gave me no good result, the only potentially usefull
> link is:
> http://www.wi2600.org/mediawhore/nf0/wireless/dumps/madison-minakwa-and-briar-
> hill/Data/Briar%20Hill%20International.libpcap
> 
> [**] IDS171/icmp_ping zeros [**]
> 01/31-15:07:15.772291  type:0x800 len:0x86
> 213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20
> DgmLen:120 DF
> Type:8  Code:0  ID:1376   Seq:23296  ECHO
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 20 53 45 52 56 45 52 20 4F 66 66 65 72 65  .. SERVER Offere
> 64 20 20 20 20 20 20 20 20 20 7C 20 4F 66 66 65  d         | Offe
> 72 69 6E 67 3A 20 31 39 32 2E 31 36 38 2E 30 2E  ring: 192.168.0.
> 33 31 20 20 54 6F 3A 20 30 30 33 30 36 35 31 32  31  To: 00306512
> 37 38 43 46 20 20 42 79 3A 20 31 39              78CF  By: 19
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] IDS171/icmp_ping zeros [**]
> 01/31-15:07:15.780343  type:0x800 len:0x86
> 213.221.141.64 -> 195.72.91.yyy ICMP TTL:234 TOS:0x0 ID:23288 IpLen:20
> DgmLen:120 DF
> Type:8  Code:0  ID:1376   Seq:23552  ECHO
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 20 53 45 52 56 45 52 20 4F 66 66 65 72 65  .. SERVER Offere
> 64 20 20 20 20 20 20 20 20 20 7C 20 4F 66 66 65  d         | Offe
> 72 69 6E 67 3A 20 31 39 32 2E 31 36 38 2E 30 2E  ring: 192.168.0.
> 33 31 20 20 54 6F 3A 20 30 30 33 30 36 35 31 32  31  To: 00306512
> 37 38 43 46 20 20 42 79 3A 20 31 39              78CF  By: 19
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> # whois -h whois.ripe.net 213.221.141.64
> % This is the RIPE Whois server.
> % The objects are in RPSL format.
> % Please visit http://www.ripe.net/rpsl for more information.
> % Rights restricted by copyright.
> % See http://www.ripe.net/ripencc/pub-services/db/copyright.html
> 
> inetnum:      213.221.139.0 - 213.221.141.255
> netname:      TVS2NET
> descr:        tvs2net headend dransnet lancity
> country:      CH
> admin-c:      PAM49-RIPE
> tech-c:       OC609-RIPE
> rev-srv:      dns1.netplus.ch
> notify:       noc at ...4817...
> mnt-by:       AS15547-MNT
> status:       ASSIGNED PA
> changed:      pa.matthey at ...4817... 20011126
> source:       RIPE
> 
> route:        213.221.128.0/19
> descr:        Cablecom Holding AG
> descr:        Zollstrasse42
> descr:        CH-8021 Zuerich
> descr:        SWITZERLAND
> origin:       AS8404
> holes:        213.221.158.0/24
> notify:       lir-mnt at ...4818...
> mnt-by:       AS8404-MNT
> changed:      felix.giger at ...4818... 20010711
> source:       RIPE
> 
> person:       Pierre-Alain Matthey
> address:      TVS2NET
> address:      Rue de l'industrie 43
> address:      CH-1951 SION
> address:      SWITZERLAND
> phone:        +41273240469
> fax-no:       +41273240412
> e-mail:       pa.matthey at ...4817...
> nic-hdl:      PAM49-RIPE
> changed:      pa.matthey at ...4817... 20011008
> source:       RIPE
> 
> person:       Olivier Crettenand
> address:      Energie de Sion Region SA
> address:      Rue de l'Industrie 43
> address:      CH-1951 Sion
> address:      Switzerland
> phone:        + 41 27 324 0473
> fax-no:       + 41 27 324 0412
> e-mail:       olivier.crettenand at ...4817...
> nic-hdl:      OC609-RIPE
> notify:       hostmaster at ...4819...
> changed:      hostmaster at ...4819... 20010517
> source:       RIPE
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list