[Snort-users] question about ICMP echo reply (undefinted code) rule

Rob Burris robeb at ...10609...
Thu Nov 20 17:00:02 EST 2003


Matt Kettler wrote:

> At 04:34 PM 11/20/2003, Rob Burris wrote:
>
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply 
>> (Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;)
>>
>> But isn't this type of ICMP message expected back from the machine 
>> that is replying to the request?
>
>
> Technically itype 0 icode 0 is expected. itype 0 with any other icode 
> is not.
>
> This rule is really meant to be used in conjunction with SID 408... 
> SID 408 picks up the ones with icmp type/code of 0/0, and then 409 
> picks up everything else. 


Ok that makes sense, but then shouldn't snort log the message with SID 
408 instead of SID 409? If I ping yahoo.com snort logs the alert as SID 
409. Why would yahoo.com reply with a invalid or undefined icmp message?

|[**] ICMP Echo Reply (Undefined Code!) 
<http://snort.keepthevibe.com/sig/sigsid-409.html> [**]
2003-11-20:14:10:45 66.218.71.198 
<http://snort.keepthevibe.com/66/218/71/src66.218.71.198.html> -> 
10.0.1.1 <http://snort.keepthevibe.com/10/0/1/dest10.0.1.1.html>
ICMP TTL:243 TOS:0 ID:48631 IpLen:5 DgmLen:84
Type:0 Code:0 ID: Seq:|

- rob






More information about the Snort-users mailing list