Snort mailing list archives
MISC Large ICMP Packet alert on small ICMP packet
From: Bill McCarty <bmccarty () apu edu>
Date: Fri, 22 Mar 2002 20:57:08 -0800
I'm seeing MISC Large ICMP Packet alerts and don't see why. I used nmap to scan one of my hosts, using options -f -sS -p 53. The resulting alert, related to nmap's ping rather than the SYN scan, was:
03/22-20:21:30.429717 [**] [1:499:1] MISC Large ICMP Packet [**] [Class ification: Potentially Bad Traffic] [Priority: 2] {ICMP} xxx.xxx.xxx.31 -> xxx.xxx.xxx.5
The relevant Snort rule is:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:1;)
This rule seems to look for a datagram size exceeding 800 bytes. But, a tcpshow dump of the relevant packet shows a datagram size of only 28 bytes.
Packet 371 Timestamp: 20:21:30.429717 IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 28 bytes Identification: 0x1775 Flags: MF=off, DF=off Fragment Offset: 0 TTL: 45 Encapsulated Protocol: ICMP Header Checksum: 0x2571 Source IP Address: xxx.xxx.xxx.31 Destination IP Address: xxx.xxx.xxx.5 ICMP Header Type: echo-request Checksum: 0x1F16 ICMP Data ....
I'm clearly missing something. Can someone point me in the right direction? Thanks, as always! --------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 22)
- Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)
- Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 23)
- Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)
- Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 23)
- <Possible follow-ups>
- Re: MISC Large ICMP Packet alert on small ICMP packet Mark Cooper (Mar 25)
- Re: MISC Large ICMP Packet alert on small ICMP packet Bill McCarty (Mar 25)
- Re: MISC Large ICMP Packet alert on small ICMP packet John Sage (Mar 23)