Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Icmp Ping

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 19 Mar 2004 09:25:26 -0500
You're right, perhaps not a 'good choice' for a covert channel but then
some hackers seems to enjoy making a statement.  The fact that a Google
search pulled up 2 hits on this (true, that's not many) suggests that
this isn't just some individual messing with Edmund...might be but then
he's messed with a couple other people too.

The fact that nobody seems to have heard of this makes it interesting.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jim
Hendrick
Sent: Thursday, March 18, 2004 9:19 AM
To: Jerry Shenk
Cc: 'cc'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Icmp Ping


I agree that the box(es) involved should be thoroughly examined. It
*does* seem a bit obvious for any sort of covert "communications", but
still...

I would also suggest watching for any other strange ICMP traffic on your
LAN (not just to/from those boxes and not just with this payload).

Could be somone messing with a tool (and your head) or it could be
something more serious. The destination IP may not even be the intended
recipient (or even that important) if the "real" recipient could just
see the traffic, implying you should look at all boxes that might be
able to see that traffic, whether on the same switch, or having access
to a router/firewall in the path, etc.

Then again, maybe I'm just being paranoid...

Jim


On Thu, 2004-03-18 at 06:30, Jerry Shenk wrote:

That showed up on this list once before


(http://groups.google.com/groups?q=icmp+please+help+matrix+catch+me&hl=e



n&lr=&ie=UTF-8&oe=UTF-8&selm=I5u_a.85213%247O4.1995953%40twister.rdc-kc.

rr.com&rnum=1) and also on the comp.security.misc newsgroup


(http://groups.google.com/groups?q=icmp+please+help+matrix+catch+me&hl=e



n&lr=&ie=UTF-8&oe=UTF-8&selm=aa34f8a6.0307300004.60fadc8d%40posting.goog

le.com&rnum=4).  I didn't remember but google did;)

What that traffic originating from one of your boxes or coming in?

I'd

give the related box a serious check.  First thought was a back door

but

then the question is, "Why be so obvious?"  How long a period of time
did this traffic involve?  Is it still going on?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of cc
Sent: Thursday, March 18, 2004 4:38 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Icmp Ping


Hi,

I was looking at ACID's report for the first time this month
and noticed the extraordinary amount of ICMP PINGs.  I took
a look at one, and was surprised to find the following as
the payload:

000 : 50 6C 65 61 73 65 20 68 65 6C 70 20 6D 65 2C 20   Please help

me,

010 : 6D 61 74 72 69 78 20 63 61 74 63 68 20 6D 65 20   matrix catch

me


That Can't be a ping.

Can someone point out whether or not I fuzzed up my
snort configuration?

Thanks.

Edmund




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: