Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rule regarding L3Retriever Ping

From: pbsarnac () ThoughtWorks com
Date: Wed, 20 Mar 2002 09:39:29 -0600

A google search for L3 retriever yeilds a couple of articles. I picked this
one:
http://www.scmagazine.com/scmagazine/standalone/l3/l3_retriever.htm
It appears that L3 Retriever is a network mapping/vulnerability scanning
tool developed by L-3 Security, which was apparently purchased by Symantec
in the fall of 2000. I'm assuming that they integrated the technology into
their NetRecon product.

This signature indicates that someone is mapping your network with the L-3
Retriever product.

I would recommend updating the signature so that the alert message is "ICMP
L-3 Retriever Ping".  That would make it easier for people to do their own
google searches on the rule.



|---------+--------------------------------------->
|         |           Ashley Thomas               |
|         |           <athomas () unity ncsu edu>    |
|         |           Sent by:                    |
|         |           snort-users-admin () lists sour|
|         |           ceforge.net                 |
|         |                                       |
|         |                                       |
|         |           03/19/2002 10:29 PM         |
|         |                                       |
|---------+--------------------------------------->
  

-----------------------------------------------------------------------------------------------------------------------|

  |                                                                                                                     
  |
  |       To:       snort-users () lists sourceforge net                                                                
     |
  |       cc:       vamahadi () unity ncsu edu                                                                          
     |
  |       Subject:  [Snort-users] Snort rule regarding L3Retriever Ping                                                 
  |
  

-----------------------------------------------------------------------------------------------------------------------|





hi,

There was a question regarding the below rule: (but didnt find any
replies)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
 content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype:
 8; icode: 0; depth: 32; reference:arachnids,311;
 classtype:attempted-recon; sid:466; rev:1;)

Is there any particular reason for this alert ??

The lone fact that content has "ABCD..." does 'nt require much attention,
right ?
and such a rule might cause false alarms, correct ?

Pls correct me if i am wrong.

cheers
ashley



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: