Snort mailing list archives
icmp: is this real?
From: John Sage <jsage () finchhaven com>
Date: Sun, 31 Mar 2002 19:00:20 -0800
Is this a _real_ icmp packet, or a ghost in the machine? Ths was in a portscan I got around midnight 03/30/02. It is in sequence with the IP ID ahead of it, and after.. And it _didn't_ have the Type: Code: ID: Seq: data line as all other packets usually do.. The DgmLen: is clearly bogus, unless snort is on crack.. Oh yeah, snort 1.8.2 build 86, running on Linux 2.2.14. <snip> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/30-00:01:12.030074 12.82.128.93 -> 12.82.128.102 ICMP TTL:127 TOS:0x0 ID:35873 IpLen:20 DgmLen:32 00 01 00 00 00 31 00 04 D1 49 A4 4C C0 5B 00 01 .....1...I.L.[.. 00 01 00 00 00 55 00 04 D1 49 A4 07 C1 0F 00 01 .....U...I...... 00 01 00 00 04 3F 00 04 D1 E4 16 32 04 D2 84 64 .....?.....2...d 65 C0 E1 00 01 00 01 00 02 A3 00 00 04 D5 B1 C2 e............... 05 C0 F1 00 01 00 01 00 02 A3 00 00 04 C0 0C 5E ...............^ 1E C1 01 00 01 00 01 00 02 A3 00 00 04 C0 37 53 ..............7S 1E 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ <snip> This sucker is _long_ -- probably 13 page-down's when viewed with Opera at 1024x768.. <snip> 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 0 30 20 30 30 20 20 33 30 20 33 30 20 32 30 20 33 30 20 33 30 20 30 30 20 30 30 32 30 20 33 30 20 33 30 20 32 30 20 20 20 30 30 20 30 30 20 00 20 30 30 20 30 30 20 30 30 20 30 30 20 0A 33 30 00 00 00 00 .30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 20 30 20 30 30 20 33 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 30 20 30 30 2 30 20 33 30 20 33 30 20 32 30 20 33 30 20 20 30 0 30 30 20 30 0 30 20 30 30 20 30 30 20 30 30 20 30 30 20 30 0A 0 00 00 00 00 0. 33 30 20 32 30 20 32 30 20 32 45 20 32 45 20 32 30 20 20 2E 2E 2 45 20 32 45 20 32 45 20 32 45 20 32 45 20 32 45 E 2E 2E 2E 2E 2E 20 32 45 20 32 45 20 32 45 20 32 45 20 32 45 20 2E 2E 2E 2E 2E 20 30 20 20 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 0 ............ 2E 0A 32 45 20 32 45 20 32 45 20 30 41 20 33 30 ..2E 2E 2E 0A 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 20 30 20 30 30 20 33 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 30 20 30 30 2 30 20 20 2E 2E 2E 2E 30 30 20 30 30 20 30 30 20 0 ....00 00 00 30 30 20 0A 33 30 20 33 30 20 32 30 20 33 30 20 00 .30 30 20 30 33 30 20 32 30 20 33 30 20 33 30 20 32 30 20 33 30 20 30 30 20 3 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 0 30 20 30 30 20 20 33 30 20 20 30 30 20 30 30 20 30 30 20 30 30 30 00 00 00 00 20 30 30 20 30 0A 33 30 20 32 30 20 33 30 20 33 00 0.30 20 30 3 30 20 32 30 20 33 30 20 33 30 20 32 30 20 33 30 0 20 30 30 20 30 20 33 30 20 32 30 20 33 30 20 33 30 20 32 30 20 30 20 30 30 20 33 30 20 33 30 20 20 30 20 30 30 20 30 30 20 30 30 30 0 00 00 0 30 20 30 30 20 30 30 0A 32 30 20 33 30 20 33 30 0 00 00.20 30 30 20 32 30 20 32 30 20 32 45 20 32 45 20 32 45 20 20 20 2E 2E 2E 32 45 20 32 45 20 32 45 20 32 45 20 32 45 20 32 2E 2E 2E 2E 2E 2 45 20 32 45 20 32 45 20 20 20 30 30 E 2E 2E 00 Got NULL ptr in PrintNetData() =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/30-00:01:12.040094 12.82.128.93 -> 12.82.128.102 ICMP TTL:127 TOS:0x0 ID:35874 IpLen:20 DgmLen:64 Type:13 Code:0 TIMESTAMP REQUEST A5 2F 03 00 47 F4 52 00 55 55 55 55 55 55 55 55 ./..G.R.UUUUUUUU 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 55 55 55 55 55 55 55 55 UUUUUUUU =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ <snip> And again, the packet before it, and after, are all in IP ID sequence with all other packets in the portscan. - John -- In those days, you could not buy a $2000 200MHz Pentium server. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- icmp: is this real? John Sage (Mar 31)
- Re: icmp: is this real? Chris Green (Mar 31)
- Re: icmp: is this real? John Sage (Mar 31)
- Re: icmp: is this real? Erek Adams (Mar 31)
- Re: icmp: is this real? John Sage (Apr 01)
- Re: icmp: is this real? Erek Adams (Apr 01)
- Re: icmp: is this real? John Sage (Apr 01)
- Re: icmp: is this real? John Sage (Mar 31)
- Re: icmp: is this real? Chris Green (Mar 31)
- Re: icmp: is this real? Chris Green (Apr 01)