[Snort-users] MISC Large ICMP Packet alert on small ICMP packet

Bill McCarty bmccarty at ...5196...
Fri Mar 22 20:58:01 EST 2002


I'm seeing MISC Large ICMP Packet alerts and don't see why. I used nmap to 
scan one of my hosts, using options -f -sS -p 53. The resulting alert, 
related to nmap's ping rather than the SYN scan, was:

> 03/22-20:21:30.429717  [**] [1:499:1] MISC Large ICMP Packet [**] [Class
> ification: Potentially Bad Traffic] [Priority: 2] {ICMP} xxx.xxx.xxx.31
> -> xxx.xxx.xxx.5

The relevant Snort rule is:

> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large ICMP
> Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown;
> sid:499; rev:1;)

This rule seems to look for a datagram size exceeding 800 bytes. But, a 
tcpshow dump of the relevant packet shows a datagram size of only 28 bytes.

> Packet 371
>         Timestamp:                      20:21:30.429717
> IP Header
>         Version:                        4
>         Header Length:                  20 bytes
>         Service Type:                   0x00
>         Datagram Length:                28 bytes
>         Identification:                 0x1775
>         Flags:                          MF=off, DF=off
>         Fragment Offset:                0
>         TTL:                            45
>         Encapsulated Protocol:          ICMP
>         Header Checksum:                0x2571
>         Source IP Address:              xxx.xxx.xxx.31
>         Destination IP Address:         xxx.xxx.xxx.5
> ICMP Header
>         Type:                           echo-request
>         Checksum:                       0x1F16
> ICMP Data
>         ....

I'm clearly missing something. Can someone point me in the right direction?

Thanks, as always!

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list