[Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..

Jeff Kell jeff-kell at ...6282...
Wed Dec 31 19:53:02 EST 2003


Earlier I wrote:
> Brice B wrote:
>  Chris,
> 
>>  would you mind telling us how you set it to alert only internal 
>> Cyberkit/Nachi ping attempts? Did you use thresholding?
> 
> Can anyone verify the [non]existance of a difference between the 
> Cyberkit and Nachi pings?  Not having Cyberkit myself, I can only
> address Nachi.  The frame is 106 bytes on the wire, 92 bytes in the IP 
> packet, and 64 bytes of 0xaa in the ICMP data payload.

I just captured a packet with Snort that was flagged as Cyberkit and it 
differs from the classic Nachi packet -- the data payload is 68 bytes 
and the last 4 bytes are nulls:

> #(1 - 55391) [2003-12-31 21:52:18] [arachNIDS/154] [snort/483]
 > ICMP PING CyberKit 2.2 Windows
> IPv4: 218.22.67.12 -> xxx.xx.xxx.xxx
>       hlen=5 TOS=0 dlen=96 ID=0 flags=0 offset=0 TTL=108 chksum=3011
> ICMP: type=Echo Request code=0
>       checksum=20776 id= seq=
> Payload:  length = 68
> 
> 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 040 : 00 00 00 00                                       ....

The classic Nachi pings are 64 bytes in length, and all 0xAA.  I don't 
get Nachi pings anymore since they are blocked by our border routers. 
This one got through because the length didn't match Nachi.

So... is this really a Cyberkit ping?  And if so, can't someone a bit 
more experienced with signatures create revised signatures that will 
differentiate between Cyberkit and Nachi?

Or, since Nachi is "supposed" to expire tomorrow, is it even worth it?

Jeff





More information about the Snort-users mailing list