[Snort-users] non-standard ping messages

James Lay jlay at ...13475...
Tue Jan 21 17:56:50 EST 2014

On 2014-01-21 15:03, Jefferson, Shawn wrote:
> With the recent revelations of the Target breach, I was wondering if
> there is an existing rule that watches for non-standard ping messages
> crossing the network? That was one of the indicators in this incident
> and that seems like something useful to look for anyway, so maybe
> there is already a rule either in VRT or ET the ruleset. Does anyone
> know of an existing rule?
> Thanks!
> Shawn

Here's what I've been working with:

alert icmp any any -> any any (msg:"Unusual L3retriever Ping detected"; 
icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; 
dsize:>32; classtype:trojan-activity; sid:10000116; rev:1;)
alert icmp any any -> any any (msg:"Unusual Microsoft Windows Ping 
detected"; icode:0; itype:8; content:"0123456789abcdefghijklmnopqrstuv"; 
depth:32; dsize:>32; classtype:trojan-activity; sid:10000117; rev:1;)
alert icmp any any -> any any (msg:"Unusual Microsoft Windows 7 Ping 
detected"; icode:0; itype:8; content:"abcdefghijklmnopqrstuvwabcdefghi"; 
depth:32; dsize:>32; classtype:trojan-activity; sid:10000118; rev:1;)
alert icmp any any -> any any (msg:"Unusual PING detected"; icode:0; 
itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; 
depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; 
content:!"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; 
classtype:trojan-activity; sid:10000119; rev:4;)

My fear was that a bad guy would slip in extra data with known pings, 
so the first three match on content and size over 32 bytes.  The last 
one will catch any pings that DON'T match anything standard.  I'd 
capture ICMP for a bit and see what's "normal" on your network, then 
craft around that.


More information about the Snort-users mailing list