[Snort-users] normal vs. malicious icmp echo

Matt Kettler mkettler at ...4108...
Thu May 6 08:51:06 EDT 2004

At 11:25 PM 5/5/2004, Mario Guerendo wrote:
>I just wanted to know if anybody had a snort rule available that would
>differentiate a normal ICMP echo ping from a malicious one?

And what difference would you expect there to be?

Do you expect them to be RFC 3514 compliant???

A ping is a network diagnostic probe. It provides information about network 
timing and if hosts are up or not. Normal vs malicious is a difference in 
how that information is used, and not a difference in the packet.

Snort's default ruleset has a lot of rules to detect what program generated 
an icmp echo, but knowing what tool made the packet (windows "ping", nmap, 
whatsup gold, superscan, etc) won't tell you if the packet is malicious or 
not. And let's face it, from a standpoint of a hacker, what format the ping 
packet is completely irrelevant, so they can make it look like a windows 
ping, or whatever else they want.

More information about the Snort-users mailing list