Snort mailing list archives

Re: ICMP w/payload of 1472 zeroes

From: Michael Sierchio <kudzu () tenebras com>
Date: Tue, 28 Oct 2003 16:40:56 -0800

Mike Cojocea wrote:

Macintosh Power PCs do a kind of MTU path discovery using ICMP packets
with
the data all zero's. I tagged this kind of the traffic in Snort and thehttp traffic showed a PowerPC processor.


Which OS? (X?)

There wasn't enough of anything in these packets for p0f
to fingerprint the OS, but...

To avoid the false positives you can modify this icmp rule (SID499)
to trigger at dsize>800 and content: !|00000000000000000000|


These are not associated with any connection attempt, this
is the only traffic coming from these hosts.  I drop ICMP
echo requests at the firewall, but have a sensor (stealth)
outside.  I'm not yet content to ignore these -- though they
don't seem to be malicious they are "misbehavior"

Thanks, and cheers,

Michael



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP w/payload of 1472 zeroes Michael Sierchio (Oct 28)
- Re: ICMP w/payload of 1472 zeroes Mike Cojocea (Oct 28)
  - Re: ICMP w/payload of 1472 zeroes Michael Sierchio (Oct 28)
- Re: ICMP w/payload of 1472 zeroes Michael Sierchio (Oct 31)