[Snort-users] (new?) worm or bot signature - echo request

Stephane Nasdrovisky stephane.nasdrovisky at ...4735...
Tue Feb 5 11:40:10 EST 2002


Scott Nursten wrote:

> What version of Snort is this? If it's 1.8.3,

It was a snort 1.8.1 on solaris 8/sparc

> there were some problems with the stream4 (I think) preprocessor which was
> allowing for some pretty
> unbelievable packet mangling by the time it hit the log :)

> Your packet looks like a ICMP mangled with DHCP/BOOTP...!?

> I could be wrong, but I don't see why DHCP info would be in an ICMP packet...!

I don't see either. There is no dhcp server on the network snort is listening on,
our dhcp server is not serving any 192.168.0.* address, the mac address is not one
of ours.
I bet the icmp packet did really contained this data, it is probably not a snort
bug.
Another alternative is a flaw in the ip stack of the sender. I've sometimes seen
packets (especially reset) containing data they should not contain (i.e. a browser
sending back part of the server's answer). Although I sometimes suspect some snort
undocumented features, I've seen the same king of behaviour in snoop outputs.

I had never looked at dhcp packets, at least, I learned what dhcp packets looks like
now. I was thinking of some malicious code reporting back their activity.

> Anyone else got any ideas?
>
> > I received a strange icmp packet. The payload contains
> > SERVER Offered         | Offering: 192.168.0.31  To: 0030651278CF  By:19
> >
> > 213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20





More information about the Snort-users mailing list