[Snort-users] ICMP rule triggered by UDP packet

Kern, Daniel P. x1449 KernDP at ...16073...
Tue Feb 5 16:39:46 EST 2013


Hello everyone,

This one has baffled me for awhile, so I thought I'd submit this to the group, as I may be missing something obvious.

Here's the rule:

alert icmp !$LEGIT_SRC any -> any any (msg:"LOCAL Illegitimate ICMP traffic"; detection_filter:track by_src, count 1, seconds 60; classtype:unusual-client-port-connection; sid:10002161; rev:2; )

It generally works fine.  However, here's one packet that pops below.  A UDP packet!  172.28.7.8 is in $LEGIT_SRC and it doesn't make any difference, the rule still pops.

------------------------------------------------------------------------
Count:90 Event#4.273137 2013-02-05 18:29:35
LOCAL Illegitimate ICMP traffic
172.28.7.8 -> 157.56.106.184
IPVer=4 hlen=5 tos=0 dlen=89 ID=41995 flags=0 offset=0 ttl=255 chksum=23670
Protocol: 17 sport=30811 -> dport=3544

len=69 chksum=37658
Payload:
00 01 00 00 52 1C 58 31 5D 86 5D 94 00 60 00 00 ....R.X1].]..`..
00 00 08 3A FF FE 80 00 00 00 00 00 00 00 00 FF ...:............
FF FF FF FF FE FF 02 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 02 85 00 7D 38 00 00 00 00          .......}8....



Any thoughts?

Thanks for any insight!  --Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130205/b3b61192/attachment.html>


More information about the Snort-users mailing list