[Snort-users] normal vs. malicious icmp echo

Milo Velimirovic milov at ...1467...
Thu May 6 12:53:04 EDT 2004

The OP asked a legitimate question. It is quite possible to embed data 
in the payload of an ICMP packet. To suggest that there is no 
difference between ordinary and malicious ICMP packets except for the 
way in which they are put to use really underestimates the capabilities 
and/or the creativity of the dark side.

It's possible to use ICMP echo request/reply packets to create a 
communication channel, for example nemesis-icmp. Also our friends at 
Phrack and their project Loki.

Last I checked there is an entry in the icmp rules to detect nemesis 
but not any that identify themselves as detecting loki.


On May 6, 2004, at 10:50 AM, Matt Kettler wrote:

> At 11:25 PM 5/5/2004, Mario Guerendo wrote:
>> I just wanted to know if anybody had a snort rule available that would
>> differentiate a normal ICMP echo ping from a malicious one?
> And what difference would you expect there to be?
> Do you expect them to be RFC 3514 compliant???
> http://www.faqs.org/rfcs/rfc3514.html
> A ping is a network diagnostic probe. It provides information about 
> network timing and if hosts are up or not. Normal vs malicious is a 
> difference in how that information is used, and not a difference in 
> the packet.
> Snort's default ruleset has a lot of rules to detect what program 
> generated an icmp echo, but knowing what tool made the packet (windows 
> "ping", nmap, whatsup gold, superscan, etc) won't tell you if the 
> packet is malicious or not. And let's face it, from a standpoint of a 
> hacker, what format the ping packet is completely irrelevant, so they 
> can make it look like a windows ping, or whatever else they want.
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Milo Velimirović       <milov "at" uwlax "dot" edu>
Unix Computer Network Administrator
University of Wisconsin - La Crosse
La Crosse, Wisconsin 54601 USA   43 48 05 N 91 14 22 W

There are 10 different types of people in the world.
Those who can read binary and those who can't.

More information about the Snort-users mailing list