[Snort-users] ICMP rule triggered by UDP packet

Kern, Daniel P. x1449 KernDP at ...16073...
Wed Feb 6 10:12:44 EST 2013


DOH! Stupid me for relying purely on Sguil's packet text only.  The packet says "Teredo IPv6 over UDP tunneling".  Internet Control Message Protocol v6 is listed too.  The packet is attached.  I don't know much about IPv6 packets.  I guess what is confusing is the basics of why the rule would pop at all if the source IP is in $LEGIT_SRC? Or does ICMPv6 cause Snort to act differently?

Running Snort 2.9.4, Barnyard Version 0.2.0 (Build 32), and Sguil 0.8.0.

Thanks for your insight!  --Dan


-----Original Message-----
From: Castle, Shane [mailto:scastle at ...14946...] 
Sent: Tuesday, February 05, 2013 2:54 PM
To: Kern, Daniel P. x1449; 'snort-users at lists.sourceforge.net'
Cc: 193-IDS Admin
Subject: RE: ICMP rule triggered by UDP packet

Hmm - well, I'd first fall back to the complete packet, if possible - this one seems to have the IPv4 and other headers stripped off.

You also don't say what version of Snort you are running, or anything about your configuration.

Can you supply a complete pcap?

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Kern, Daniel P. x1449 [mailto:KernDP at ...16073...] 
Sent: Tuesday, February 05, 2013 14:40
To: 'snort-users at lists.sourceforge.net'
Cc: 193-IDS Admin
Subject: [Snort-users] ICMP rule triggered by UDP packet

Hello everyone,

 

This one has baffled me for awhile, so I thought I'd submit this to the group, as I may be missing something obvious.

 

Here's the rule:

 

alert icmp !$LEGIT_SRC any -> any any (msg:"LOCAL Illegitimate ICMP traffic"; detection_filter:track by_src, count 1, seconds 60; classtype:unusual-client-port-connection; sid:10002161; rev:2; )

 

It generally works fine.  However, here's one packet that pops below.  A UDP packet!  172.25.7.8 is in $LEGIT_SRC and it doesn't make any difference, the rule still pops.

 

------------------------------------------------------------------------

Count:90 Event#4.273137 2013-02-05 18:29:35

LOCAL Illegitimate ICMP traffic

172.25.7.8 -> 157.56.106.184

IPVer=4 hlen=5 tos=0 dlen=89 ID=41995 flags=0 offset=0 ttl=255 chksum=23670

Protocol: 17 sport=30811 -> dport=3544

 

len=69 chksum=37658

Payload:

00 01 00 00 52 1C 58 31 5D 86 5D 94 00 60 00 00 ....R.X1].]..`..

00 00 08 3A FF FE 80 00 00 00 00 00 00 00 00 FF ...:............

FF FF FF FF FE FF 02 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 02 85 00 7D 38 00 00 00 00          .......}8....

 

 

 

Any thoughts?

 

Thanks for any insight!  --Dan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: packet.pdf
Type: application/pdf
Size: 14215 bytes
Desc: packet.pdf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130206/168e4aee/attachment.pdf>


More information about the Snort-users mailing list