[Snort-users] ICMP rule triggered by UDP packet
Castle, Shane
scastle at ...14946...
Tue Feb 5 17:54:16 EST 2013
Hmm - well, I'd first fall back to the complete packet, if possible - this one seems to have the IPv4 and other headers stripped off.
You also don't say what version of Snort you are running, or anything about your configuration.
Can you supply a complete pcap?
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: Kern, Daniel P. x1449 [mailto:KernDP at ...16073...]
Sent: Tuesday, February 05, 2013 14:40
To: 'snort-users at lists.sourceforge.net'
Cc: 193-IDS Admin
Subject: [Snort-users] ICMP rule triggered by UDP packet
Hello everyone,
This one has baffled me for awhile, so I thought I'd submit this to the group, as I may be missing something obvious.
Here's the rule:
alert icmp !$LEGIT_SRC any -> any any (msg:"LOCAL Illegitimate ICMP traffic"; detection_filter:track by_src, count 1, seconds 60; classtype:unusual-client-port-connection; sid:10002161; rev:2; )
It generally works fine. However, here's one packet that pops below. A UDP packet! 172.28.7.8 is in $LEGIT_SRC and it doesn't make any difference, the rule still pops.
------------------------------------------------------------------------
Count:90 Event#4.273137 2013-02-05 18:29:35
LOCAL Illegitimate ICMP traffic
172.28.7.8 -> 157.56.106.184
IPVer=4 hlen=5 tos=0 dlen=89 ID=41995 flags=0 offset=0 ttl=255 chksum=23670
Protocol: 17 sport=30811 -> dport=3544
len=69 chksum=37658
Payload:
00 01 00 00 52 1C 58 31 5D 86 5D 94 00 60 00 00 ....R.X1].]..`..
00 00 08 3A FF FE 80 00 00 00 00 00 00 00 00 FF ...:............
FF FF FF FF FE FF 02 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 02 85 00 7D 38 00 00 00 00 .......}8....
Any thoughts?
Thanks for any insight! --Dan
More information about the Snort-users
mailing list