[Snort-users] icmp: is this real?

John Sage jsage at ...2022...
Sun Mar 31 19:04:10 EST 2002


Is this a _real_ icmp packet, or a ghost in the machine?

Ths was in a portscan I got around midnight 03/30/02. It is in
sequence with the IP ID ahead of it, and after..

And it _didn't_ have the  Type: Code: ID: Seq:  data line as all other
packets usually do..

The DgmLen: is clearly bogus, unless snort is on crack..

Oh yeah, snort 1.8.2 build 86, running on Linux 2.2.14.


<snip>

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

03/30-00:01:12.030074 12.82.128.93 -> 12.82.128.102
ICMP TTL:127 TOS:0x0 ID:35873 IpLen:20 DgmLen:32 

00 01 00 00 00 31 00 04 D1 49 A4 4C C0 5B 00 01  .....1...I.L.[..
00 01 00 00 00 55 00 04 D1 49 A4 07 C1 0F 00 01  .....U...I......
00 01 00 00 04 3F 00 04 D1 E4 16 32 04 D2 84 64  .....?.....2...d
65 C0 E1 00 01 00 01 00 02 A3 00 00 04 D5 B1 C2  e...............
05 C0 F1 00 01 00 01 00 02 A3 00 00 04 C0 0C 5E  ...............^
1E C1 01 00 01 00 01 00 02 A3 00 00 04 C0 37 53  ..............7S 
1E 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

<snip>

This sucker is _long_ -- probably 13 page-down's when viewed with Opera
at 1024x768..

<snip>

30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30  0 30 20 30 30 20
20 33 30 20 33 30 20 32 30 20 33 30 20 33 30 20   30 30 20 30 30
32 30 20 33 30 20 33 30 20 32 30 20 20 20 30 30  20 30 30 20   00
20 30 30 20 30 30 20 30 30 20 30 30 20 0A 33 30   00 00 00 00 .30
20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 20   30 20 30 30 20
33 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32  30 30 20 30 30 2
30 20 33 30 20 33 30 20 32 30 20 33 30 20 20 30  0 30 30 20 30  0
30 20 30 30 20 30 30 20 30 30 20 30 30 20 30 0A  0 00 00 00 00 0.
33 30 20 32 30 20 32 30 20 32 45 20 32 45 20 32  30 20 20 2E 2E 2
45 20 32 45 20 32 45 20 32 45 20 32 45 20 32 45  E 2E 2E 2E 2E 2E
20 32 45 20 32 45 20 32 45 20 32 45 20 32 45 20   2E 2E 2E 2E 2E
20 30 20 20 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E   0  ............
2E 0A 32 45 20 32 45 20 32 45 20 30 41 20 33 30  ..2E 2E 2E 0A 30
20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 20   30 20 30 30 20
33 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32  30 30 20 30 30 2
30 20 20 2E 2E 2E 2E 30 30 20 30 30 20 30 30 20  0  ....00 00 00
30 30 20 0A 33 30 20 33 30 20 32 30 20 33 30 20  00 .30 30 20 30
33 30 20 32 30 20 33 30 20 33 30 20 32 30 20 33  30 20 30 30 20 3
30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30  0 30 20 30 30 20
20 33 30 20 20 30 30 20 30 30 20 30 30 20 30 30   30  00 00 00 00
20 30 30 20 30 0A 33 30 20 32 30 20 33 30 20 33   00 0.30 20 30 3
30 20 32 30 20 33 30 20 33 30 20 32 30 20 33 30  0 20 30 30 20 30
20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 20   30 20 30 30 20
33 30 20 33 30 20 20 30 20 30 30 20 30 30 20 30  30 30  0 00 00 0
30 20 30 30 20 30 30 0A 32 30 20 33 30 20 33 30  0 00 00.20 30 30
20 32 30 20 32 30 20 32 45 20 32 45 20 32 45 20   20 20 2E 2E 2E
32 45 20 32 45 20 32 45 20 32 45 20 32 45 20 32  2E 2E 2E 2E 2E 2
45 20 32 45 20 32 45 20 20 20 30 30              E 2E 2E   00 

Got NULL ptr in PrintNetData() 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

03/30-00:01:12.040094 12.82.128.93 -> 12.82.128.102
ICMP TTL:127 TOS:0x0 ID:35874 IpLen:20 DgmLen:64
Type:13  Code:0  TIMESTAMP REQUEST
A5 2F 03 00 47 F4 52 00 55 55 55 55 55 55 55 55  ./..G.R.UUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55                          UUUUUUUU 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

<snip>


And again, the packet before it, and after, are all in IP ID sequence
with all other packets in the portscan.


- John
-- 
In those days, you could not buy a $2000 200MHz Pentium server.




More information about the Snort-users mailing list