Snort mailing list archives
Re: ICMP rule triggered by UDP packet
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 5 Feb 2013 22:54:16 +0000
Hmm - well, I'd first fall back to the complete packet, if possible - this one seems to have the IPv4 and other headers stripped off. You also don't say what version of Snort you are running, or anything about your configuration. Can you supply a complete pcap? -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Kern, Daniel P. x1449 [mailto:KernDP () co monterey ca us] Sent: Tuesday, February 05, 2013 14:40 To: 'snort-users () lists sourceforge net' Cc: 193-IDS Admin Subject: [Snort-users] ICMP rule triggered by UDP packet Hello everyone, This one has baffled me for awhile, so I thought I'd submit this to the group, as I may be missing something obvious. Here's the rule: alert icmp !$LEGIT_SRC any -> any any (msg:"LOCAL Illegitimate ICMP traffic"; detection_filter:track by_src, count 1, seconds 60; classtype:unusual-client-port-connection; sid:10002161; rev:2; ) It generally works fine. However, here's one packet that pops below. A UDP packet! 172.28.7.8 is in $LEGIT_SRC and it doesn't make any difference, the rule still pops. ------------------------------------------------------------------------ Count:90 Event#4.273137 2013-02-05 18:29:35 LOCAL Illegitimate ICMP traffic 172.28.7.8 -> 157.56.106.184 IPVer=4 hlen=5 tos=0 dlen=89 ID=41995 flags=0 offset=0 ttl=255 chksum=23670 Protocol: 17 sport=30811 -> dport=3544 len=69 chksum=37658 Payload: 00 01 00 00 52 1C 58 31 5D 86 5D 94 00 60 00 00 ....R.X1].]..`.. 00 00 08 3A FF FE 80 00 00 00 00 00 00 00 00 FF ...:............ FF FF FF FF FE FF 02 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 02 85 00 7D 38 00 00 00 00 .......}8.... Any thoughts? Thanks for any insight! --Dan ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ICMP rule triggered by UDP packet Kern, Daniel P. x1449 (Feb 05)
- Re: ICMP rule triggered by UDP packet Castle, Shane (Feb 05)
- Re: ICMP rule triggered by UDP packet Kern, Daniel P. x1449 (Feb 06)
- Re: ICMP rule triggered by UDP packet Castle, Shane (Feb 05)