Snort mailing list archives

Re: Re:A new type of ICMP packet

From: Phil Wood <cpw () lanl gov>
Date: Mon, 28 May 2001 22:55:48 -0600

On Mon, May 28, 2001 at 09:12:32PM -0400, Matt Scarborough wrote:

On Fri, 25 May 2001 10:11:30 -0600, Phil Wood  wrote:

Eight unknown ICMP's left my establishment last night at 1 second intervals.


ICMP payload 3f3f 3f3f with TTL 10 indicate Napster. But ICMP code and type
0254 do not.

Then again, if that is ICMP Id 666 (029a) other things may be afoot.

Could you post tcpdump -X so nothing may be lost in the conversion?


It's the MNOPQRST seqeuence!  %^) 

19:43:27.524954 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  5e01ba0b  0a000736  d10c4bcc : E     @ ^      6  K  :
  024d0020  029a0001  3f3f3f3f  00000000  00000000 :  M      ????         :
  00000000  0000                                   :                      :
19:43:28.684491 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  5201c60b  0a000736  d10c4bcc : E     @ R      6  K  :
  024e0020  029a0001  3f3f3f3f  00000000  00000000 :  N      ????         :
  00000000  0000                                   :                      :
19:43:29.722691 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  4601d20b  0a000736  d10c4bcc : E     @ F      6  K  :
  024f0020  029a0001  3f3f3f3f  00000000  00000000 :  O      ????         :
  00000000  0000                                   :                      :
19:43:30.870075 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  3a01de0b  0a000736  d10c4bcc : E     @ :      6  K  :
  02500020  029a0001  3f3f3f3f  00000000  00000000 :  P      ????         :
  00000000  0000                                   :                      :
19:43:32.040454 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  2e01ea0b  0a000736  d10c4bcc : E     @ .      6  K  :
  02510020  029a0001  3f3f3f3f  00000000  00000000 :  Q      ????         :
  00000000  0000                                   :                      :
19:43:33.168850 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  2201f60b  0a000736  d10c4bcc : E     @ "      6  K  :
  02520020  029a0001  3f3f3f3f  00000000  00000000 :  R      ????         :
  00000000  0000                                   :                      :
19:43:34.359758 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  1601020c  0a000736  d10c4bcc : E     @        6  K  :
  02530020  029a0001  3f3f3f3f  00000000  00000000 :  S      ????         :
  00000000  0000                                   :                      :
19:43:35.443925 10.0.7.54 > 209.12.75.204: icmp 12 type-#2 (DF)
  45000020  be1d4000  0a010e0c  0a000736  d10c4bcc : E     @        6  K  :
  02540020  029a0001  3f3f3f3f  00000000  00000000 :  T      ????         :
  00000000  0000                                   :                      :


Matt Scarborough 2001-05-29

 They all looked like this:
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | VER=4 | IHL=5 | ROU | | | | | | Total Length = 32             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Identification = 48669        | |D| | Fragment Offset = 0     |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |    TTL=10     | Protocol = 1  | Header Checksum = 3596        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Source Address  = 10.0.7.54                                |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Destination Address  = 209.12.75.204                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     RFC792: INTERNET CONTROL MESSAGE PROTOCOL, September 1981
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Type = 2      | Code = 84     | Checksum = 32                 |
 | Unknown Type/Code                                             |
 :  029a0001  3f3f3f3f  00000000  00000000    :     ????         :
 :  00000000  0000                            :                  :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Anyone seeing these?  Snort sees them as "ICMP Unassigned! (Type 2)".


____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A new type of ICMP packet Phil Wood (May 25)
- Re: A new type of ICMP packet Ofir Arkin (May 25)
- <Possible follow-ups>
- Re:A new type of ICMP packet Matt Scarborough (May 28)
  - Re: Re:A new type of ICMP packet Phil Wood (May 28)
  - Re: Re:A new type of ICMP packet Chris Green (May 29)
- Re: A new type of ICMP packet Matt Scarborough (May 29)