Snort mailing list archives
Re: normal vs. malicious icmp echo
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 06 May 2004 11:50:27 -0400
At 11:25 PM 5/5/2004, Mario Guerendo wrote:
I just wanted to know if anybody had a snort rule available that would differentiate a normal ICMP echo ping from a malicious one?
And what difference would you expect there to be? Do you expect them to be RFC 3514 compliant??? http://www.faqs.org/rfcs/rfc3514.htmlA ping is a network diagnostic probe. It provides information about network timing and if hosts are up or not. Normal vs malicious is a difference in how that information is used, and not a difference in the packet.
Snort's default ruleset has a lot of rules to detect what program generated an icmp echo, but knowing what tool made the packet (windows "ping", nmap, whatsup gold, superscan, etc) won't tell you if the packet is malicious or not. And let's face it, from a standpoint of a hacker, what format the ping packet is completely irrelevant, so they can make it look like a windows ping, or whatever else they want.
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat SoftwareLearn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- normal vs. malicious icmp echo Mario Guerendo (May 05)
- Re: normal vs. malicious icmp echo Erik Fichtner (May 05)
- Re: normal vs. malicious icmp echo Matt Kettler (May 06)
- Re: normal vs. malicious icmp echo Milo Velimirovic (May 06)