Snort mailing list archives
RE: Icmp Ping
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 19 Mar 2004 09:25:26 -0500
You're right, perhaps not a 'good choice' for a covert channel but then some hackers seems to enjoy making a statement. The fact that a Google search pulled up 2 hits on this (true, that's not many) suggests that this isn't just some individual messing with Edmund...might be but then he's messed with a couple other people too. The fact that nobody seems to have heard of this makes it interesting. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jim Hendrick Sent: Thursday, March 18, 2004 9:19 AM To: Jerry Shenk Cc: 'cc'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Icmp Ping I agree that the box(es) involved should be thoroughly examined. It *does* seem a bit obvious for any sort of covert "communications", but still... I would also suggest watching for any other strange ICMP traffic on your LAN (not just to/from those boxes and not just with this payload). Could be somone messing with a tool (and your head) or it could be something more serious. The destination IP may not even be the intended recipient (or even that important) if the "real" recipient could just see the traffic, implying you should look at all boxes that might be able to see that traffic, whether on the same switch, or having access to a router/firewall in the path, etc. Then again, maybe I'm just being paranoid... Jim On Thu, 2004-03-18 at 06:30, Jerry Shenk wrote:
That showed up on this list once before
(http://groups.google.com/groups?q=icmp+please+help+matrix+catch+me&hl=e
n&lr=&ie=UTF-8&oe=UTF-8&selm=I5u_a.85213%247O4.1995953%40twister.rdc-kc.
rr.com&rnum=1) and also on the comp.security.misc newsgroup
(http://groups.google.com/groups?q=icmp+please+help+matrix+catch+me&hl=e
n&lr=&ie=UTF-8&oe=UTF-8&selm=aa34f8a6.0307300004.60fadc8d%40posting.goog
le.com&rnum=4). I didn't remember but google did;) What that traffic originating from one of your boxes or coming in?
I'd
give the related box a serious check. First thought was a back door
but
then the question is, "Why be so obvious?" How long a period of time did this traffic involve? Is it still going on? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of cc Sent: Thursday, March 18, 2004 4:38 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Icmp Ping Hi, I was looking at ACID's report for the first time this month and noticed the extraordinary amount of ICMP PINGs. I took a look at one, and was surprised to find the following as the payload: 000 : 50 6C 65 61 73 65 20 68 65 6C 70 20 6D 65 2C 20 Please help
me,
010 : 6D 61 74 72 69 78 20 63 61 74 63 68 20 6D 65 20 matrix catch
me
That Can't be a ping. Can someone point out whether or not I fuzzed up my snort configuration? Thanks. Edmund ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Icmp Ping cc (Mar 18)
- RE: Icmp Ping Jerry Shenk (Mar 18)
- RE: Icmp Ping Jim Hendrick (Mar 18)
- Re: Icmp Ping cc (Mar 18)
- RE: Icmp Ping Jerry Shenk (Mar 19)
- Re: Icmp Ping cc (Mar 18)
- RE: Icmp Ping Jim Hendrick (Mar 18)
- RE: Icmp Ping Lucretia Enterprises (Mar 19)
- RE: Icmp Ping Jim Hendrick (Mar 18)
- RE: Icmp Ping Jerry Shenk (Mar 18)