Snort mailing list archives
Re: A new type of ICMP packet
From: "Ofir Arkin" <ofir () sys-security com>
Date: Fri, 25 May 2001 22:18:08 +0200
Phil, Type 2 is unassigned. TTL=10 is suspicious as well. I have seen the "3f3f3f3f " pattern some where before... But I fail to remember where and why. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com ----- Original Message ----- From: "Phil Wood" <cpw () lanl gov> To: <snort-users () lists sourceforge net> Sent: Friday, May 25, 2001 6:11 PM Subject: [Snort-users] A new type of ICMP packet
Folks, Eight unknown ICMP's left my establishment last night at 1 second
intervals.
They all looked like this: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VER=4 | IHL=5 | ROU | | | | | | Total Length = 32 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification = 48669 | |D| | Fragment Offset = 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TTL=10 | Protocol = 1 | Header Checksum = 3596 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address = 10.0.7.54 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address = 209.12.75.204 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ RFC792: INTERNET CONTROL MESSAGE PROTOCOL, September 1981 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 2 | Code = 84 | Checksum = 32 | | Unknown Type/Code | : 029a0001 3f3f3f3f 00000000 00000000 : ???? : : 00000000 0000 : : +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Anyone seeing these? Snort sees them as "ICMP Unassigned! (Type 2)". Thanks, Phil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A new type of ICMP packet Phil Wood (May 25)
- Re: A new type of ICMP packet Ofir Arkin (May 25)
- <Possible follow-ups>
- Re:A new type of ICMP packet Matt Scarborough (May 28)
- Re: Re:A new type of ICMP packet Phil Wood (May 28)
- Re: Re:A new type of ICMP packet Chris Green (May 29)
- Re: A new type of ICMP packet Matt Scarborough (May 29)