[Snort-users] (new?) worm or bot signature - echo request
stephane.nasdrovisky at ...4735...
Tue Feb 5 11:40:10 EST 2002
Scott Nursten wrote:
> What version of Snort is this? If it's 1.8.3,
It was a snort 1.8.1 on solaris 8/sparc
> there were some problems with the stream4 (I think) preprocessor which was
> allowing for some pretty
> unbelievable packet mangling by the time it hit the log :)
> Your packet looks like a ICMP mangled with DHCP/BOOTP...!?
> I could be wrong, but I don't see why DHCP info would be in an ICMP packet...!
I don't see either. There is no dhcp server on the network snort is listening on,
our dhcp server is not serving any 192.168.0.* address, the mac address is not one
I bet the icmp packet did really contained this data, it is probably not a snort
Another alternative is a flaw in the ip stack of the sender. I've sometimes seen
packets (especially reset) containing data they should not contain (i.e. a browser
sending back part of the server's answer). Although I sometimes suspect some snort
undocumented features, I've seen the same king of behaviour in snoop outputs.
I had never looked at dhcp packets, at least, I learned what dhcp packets looks like
now. I was thinking of some malicious code reporting back their activity.
> Anyone else got any ideas?
> > I received a strange icmp packet. The payload contains
> > SERVER Offered | Offering: 192.168.0.31 To: 0030651278CF By:19
> > 220.127.116.11 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20
More information about the Snort-users