[Snort-users] normal vs. malicious icmp echo
mkettler at ...4108...
Thu May 6 08:51:06 EDT 2004
At 11:25 PM 5/5/2004, Mario Guerendo wrote:
>I just wanted to know if anybody had a snort rule available that would
>differentiate a normal ICMP echo ping from a malicious one?
And what difference would you expect there to be?
Do you expect them to be RFC 3514 compliant???
A ping is a network diagnostic probe. It provides information about network
timing and if hosts are up or not. Normal vs malicious is a difference in
how that information is used, and not a difference in the packet.
Snort's default ruleset has a lot of rules to detect what program generated
an icmp echo, but knowing what tool made the packet (windows "ping", nmap,
whatsup gold, superscan, etc) won't tell you if the packet is malicious or
not. And let's face it, from a standpoint of a hacker, what format the ping
packet is completely irrelevant, so they can make it look like a windows
ping, or whatever else they want.
More information about the Snort-users