[Snort-users] Snort rule regarding L3Retriever Ping

pbsarnac at ...1799... pbsarnac at ...1799...
Wed Mar 20 07:40:11 EST 2002

A google search for L3 retriever yeilds a couple of articles. I picked this
It appears that L3 Retriever is a network mapping/vulnerability scanning
tool developed by L-3 Security, which was apparently purchased by Symantec
in the fall of 2000. I'm assuming that they integrated the technology into
their NetRecon product.

This signature indicates that someone is mapping your network with the L-3
Retriever product.

I would recommend updating the signature so that the alert message is "ICMP
L-3 Retriever Ping".  That would make it easier for people to do their own
google searches on the rule.

|         |           Ashley Thomas               |
|         |           <athomas at ...3539...>    |
|         |           Sent by:                    |
|         |           snort-users-admin at ...4626...|
|         |           ceforge.net                 |
|         |                                       |
|         |                                       |
|         |           03/19/2002 10:29 PM         |
|         |                                       |
  |                                                                                                                       |
  |       To:       snort-users at lists.sourceforge.net                                                                     |
  |       cc:       vamahadi at ...3539...                                                                               |
  |       Subject:  [Snort-users] Snort rule regarding L3Retriever Ping                                                   |


There was a question regarding the below rule: (but didnt find any

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
 8; icode: 0; depth: 32; reference:arachnids,311;
 classtype:attempted-recon; sid:466; rev:1;)

Is there any particular reason for this alert ??

The lone fact that content has "ABCD..." does 'nt require much attention,
right ?
and such a rule might cause false alarms, correct ?

Pls correct me if i am wrong.


Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list