[Snort-users] ICMP rule triggered by UDP packet

[Castle, Shane]

Hmm - well, I'd first fall back to the complete packet, if possible - this one seems to have the IPv4 and other headers stripped off.

You also don't say what version of Snort you are running, or anything about your configuration.

Can you supply a complete pcap?

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Kern, Daniel P. x1449 [mailto:KernDP at ...16073...] 
Sent: Tuesday, February 05, 2013 14:40
To: 'snort-users at lists.sourceforge.net'
Cc: 193-IDS Admin
Subject: [Snort-users] ICMP rule triggered by UDP packet

Hello everyone,

 

This one has baffled me for awhile, so I thought I'd submit this to the group, as I may be missing something obvious.

 

Here's the rule:

 

alert icmp !$LEGIT_SRC any -> any any (msg:"LOCAL Illegitimate ICMP traffic"; detection_filter:track by_src, count 1, seconds 60; classtype:unusual-client-port-connection; sid:10002161; rev:2; )

 

It generally works fine.  However, here's one packet that pops below.  A UDP packet!  172.28.7.8 is in $LEGIT_SRC and it doesn't make any difference, the rule still pops.

 

------------------------------------------------------------------------

Count:90 Event#4.273137 2013-02-05 18:29:35

LOCAL Illegitimate ICMP traffic

172.28.7.8 -> 157.56.106.184

IPVer=4 hlen=5 tos=0 dlen=89 ID=41995 flags=0 offset=0 ttl=255 chksum=23670

Protocol: 17 sport=30811 -> dport=3544

 

len=69 chksum=37658

Payload:

00 01 00 00 52 1C 58 31 5D 86 5D 94 00 60 00 00 ....R.X1].]..`..

00 00 08 3A FF FE 80 00 00 00 00 00 00 00 00 FF ...:............

FF FF FF FF FE FF 02 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 02 85 00 7D 38 00 00 00 00          .......}8....

 

 

 

Any thoughts?

 

Thanks for any insight!  --Dan