Snort mailing list archives
large icmp packets with embedded jpegs
From: cmcauley () coresecure com
Date: Thu, 9 Jan 2003 10:43:08 -0500
With snort setup installed at a client location we have discovered icmp packets triggering snort's "large icmp packet" rule. These packets have a similar, if not the same, structure to what is discussed in these links: archives: http://marc.theaimsgroup.com/?l=snort-users&m=103064802326192&w=2 http://marc.theaimsgroup.com/?l=snort-users&m=103771074015725&w=2 and this research: http://www.wfu.edu/~steinsj5/work/icmp.html there is a little more info out in the net but provides no further information. is there anymore information as to what these could be? Is this really normal traffic to be seeing on a win2k/XP network? Curious minds want to know. Chuck McAuley Coresecure, Inc. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- large icmp packets with embedded jpegs cmcauley (Jan 09)