Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Packets.

From: Skip Carter <skip () taygeta com>
Date: Mon, 26 Aug 2002 18:20:22 -0700


Anybody recognize this payload? It is part of an ICMP packet. I have
searched google 
and haven't found any reason why I would see this data in an ICMP echo
packet. 
Awfull suspicous....

vjl

FF D8 FF FE 00 08 57 41 4E 47 32 02 FF E0 00 10   ......WANG2.....
4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB   JFIF.....`.`....
00 43 00 10 0B 0C 0E 0C 0A 10 0E 0D 0E 12 11 10   .C.............


   The JFIF is part of the header information in a JPEG image file.
  If somebody is really tunneling image files through an ICMP connection
  that is definitely not good (who knows what else is moving that way).




-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            













-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: