Snort mailing list archives
Re: Snort rule regarding L3Retriever Ping
From: pbsarnac () ThoughtWorks com
Date: Wed, 20 Mar 2002 09:39:29 -0600
A google search for L3 retriever yeilds a couple of articles. I picked this one: http://www.scmagazine.com/scmagazine/standalone/l3/l3_retriever.htm It appears that L3 Retriever is a network mapping/vulnerability scanning tool developed by L-3 Security, which was apparently purchased by Symantec in the fall of 2000. I'm assuming that they integrated the technology into their NetRecon product. This signature indicates that someone is mapping your network with the L-3 Retriever product. I would recommend updating the signature so that the alert message is "ICMP L-3 Retriever Ping". That would make it easier for people to do their own google searches on the rule. |---------+---------------------------------------> | | Ashley Thomas | | | <athomas () unity ncsu edu> | | | Sent by: | | | snort-users-admin () lists sour| | | ceforge.net | | | | | | | | | 03/19/2002 10:29 PM | | | | |---------+--------------------------------------->
-----------------------------------------------------------------------------------------------------------------------|
| | | To: snort-users () lists sourceforge net | | cc: vamahadi () unity ncsu edu | | Subject: [Snort-users] Snort rule regarding L3Retriever Ping |
-----------------------------------------------------------------------------------------------------------------------|
hi, There was a question regarding the below rule: (but didnt find any replies) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;) Is there any particular reason for this alert ?? The lone fact that content has "ABCD..." does 'nt require much attention, right ? and such a rule might cause false alarms, correct ? Pls correct me if i am wrong. cheers ashley _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule regarding L3Retriever Ping Ashley Thomas (Mar 19)
- Re: Snort rule regarding L3Retriever Ping Brian (Mar 20)
- <Possible follow-ups>
- Re: Snort rule regarding L3Retriever Ping pbsarnac (Mar 20)