Snort mailing list archives

Re: ICMP w/payload of 1472 zeroes

From: Mike Cojocea <msc39 () georgetown edu>
Date: Tue, 28 Oct 2003 19:07:40 -0500

Michael,

Macintosh Power PCs do a kind of MTU path discovery using ICMP packets
with
the data all zero's. I tagged this kind of the traffic in Snort and the 
http traffic showed a PowerPC processor. 

The first packets of the traffic are in the following seqv:

1. ICMP ECHO REQUEST
2. SYN 
3. ICMP ECHO REPLY
4. SYN/ACK
5. ACK
......

19:42:59.691229 MYNET.105.138 > MYNET.1.103: icmp: echo request (DF)
19:42:59.691245 MYNET.105.138.49235 > MYNET.1.103.80: S
1395463477:1395463477(0) win 32768 <mss 1460,wscale 0,nop>
19:42:59.691686 MYNET.1.103 > MYNET.105.138: icmp: echo reply (DF)
19:42:59.691738 MYNET.1.103.80 > MYNET.105.138.49235: S
3523853718:3523853718(0) ack 1395463478 win 33580 <nop,wscale 0,mss
1460> (DF)
19:42:59.706535 MYNET.105.138.49235 > MYNET.1.103.80: . ack 1 win 32768
(DF)

The log file in a Snort IDS looks like:

[**] [1:499:3] ICMP Large ICMP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS246]
Event ID: 21187     Event Reference: 21187
10/28/03-00:43:00.119856 MYNET.105.138 -> MYNET.1.103
ICMP TTL:253 TOS:0x0 ID:7973 IpLen:20 DgmLen:1500 DF
Type:8  Code:0  ID:39612   Seq:57072  ECHO
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]

To avoid the false positives you can modify this icmp rule (SID499)
to trigger at dsize>800 and content: !|00000000000000000000|

Let me know if it works.

Mike

___________________________
Mike Cojocea, CISSP

Network Security Analyst
Georgetown University
University Information Services

202-687-1002
msc39 () georgetown edu


Michael Sierchio wrote:


This causes the "ICMP Large ICMP Packet" alert to appear, but
I'm wondering if anyone has any insight into a more specific
source.  a traceroute was inconclusive wrt whether the source
IP was forged -- in the ballpark for the right TTL, but this
is 24 hours later, also modulo route asymmetry, etc.

Thanks,

Michael

--

"Well," Brahma said, "even after ten thousand explanations, a fool is no
  wiser, but an intelligent man requires only two thousand five hundred."
                 - The Mahabharata

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP w/payload of 1472 zeroes Michael Sierchio (Oct 28)
- Re: ICMP w/payload of 1472 zeroes Mike Cojocea (Oct 28)
  - Re: ICMP w/payload of 1472 zeroes Michael Sierchio (Oct 28)
- Re: ICMP w/payload of 1472 zeroes Michael Sierchio (Oct 31)