[Snort-users] large icmp packets with embedded jpegs

cmcauley at ...7946... cmcauley at ...7946...
Thu Jan 9 07:44:03 EST 2003


With snort setup installed at a client location we have discovered icmp packets 
triggering snort's "large icmp packet" rule.  These packets have a similar, if 
not the same, structure to what is discussed in these links:

archives:
http://marc.theaimsgroup.com/?l=snort-users&m=103064802326192&w=2
http://marc.theaimsgroup.com/?l=snort-users&m=103771074015725&w=2

and this research:
http://www.wfu.edu/~steinsj5/work/icmp.html

there is a little more info out in the net but provides no further information.

is there anymore information as to what these could be?  Is this really normal 
traffic to be seeing on a win2k/XP network?  Curious minds want to know.

Chuck McAuley
Coresecure, Inc.




More information about the Snort-users mailing list