Snort mailing list archives
Re: decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive?
From: Bram <bram-fabeg () mail wizbit be>
Date: Wed, 18 Sep 2013 21:31:36 +0200
Hi, Sorry for the late reply, got caught up in some other stuff. I do not know how ICMPv6 is handle... my experience with IPv6 in general is too limited... Best regards, Bram Quoting Victor Roemer <vroemer () sourcefire com>:
Bram, I'm not surprised to see this behavior, though that doesn't mean its appropriate. Do you know if ICMPv6 is handled the same way? I think it would be more useful to have individual alerts for "deprecated", "reserved" etc.. I'll open a bug to address this annoyance. Thanks On Wed, Sep 4, 2013 at 9:10 AM, Bram <bram-fabeg () mail wizbit be> wrote:Hi, When should snort generate the 'DECODE_ICMP4_TYPE_OTHER' alert? Currently the alert is generated for some ICMP types that are defined by IANA and for which an RFC exist. Looking at the code shows that a list of 'known' (src/decode.h) ICMP types is used and that the alert is generated for all other ICMP types. The question tho: based on what was this list created? I see two options: * All defined ICMP types - at the time the code was written - were added * A subset of the defined ICMP types were added Personally I would expect to see the 'DECODE_ICMP4_TYPE_OTHER' for ICMP types that are completely unknown (not assigned by IANA/no RFC). But: there appears to be no documentation for this rule so I'm not sure what the expected/correct behaviour is... IANA list: http://www.iana.org/**assignments/icmp-parameters/** icmp-parameters.xhtml<http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml> Known by snort (OK) * Type 0 ? Echo Reply * Type 3 ? Destination Unreachable * Type 4 ? Source Quench (Deprecated) * Type 5 ? Redirect * Type 8 ? Echo * Type 9 ? Router Advertisement * Type 10 ? Router Selection * Type 11 ? Time Exceeded * Type 12 ? Parameter Problem * Type 13 ? Timestamp * Type 14 ? Timestamp Reply * Type 15 ? Information Request (Deprecated) * Type 16 ? Information Reply (Deprecated) * Type 17 ? Address Mask Request (Deprecated) * Type 18 ? Address Mask Reply (Deprecated) Unknown by snort: * Type 6 ? Alternate Host Address (Deprecated) * Type 30 ? Traceroute (Deprecated) * Type 31 ? Datagram Conversion Error (Deprecated) * Type 32 ? Mobile Host Redirect (Deprecated) * Type 33 ? IPv6 Where-Are-You (Deprecated) * Type 34 ? IPv6 I-Am-Here (Deprecated) * Type 35 ? Mobile Registration Request (Deprecated) * Type 36 ? Mobile Registration Reply (Deprecated) * Type 37 ? Domain Name Request (Deprecated) * Type 38 ? Domain Name Reply (Deprecated) * Type 39 ? SKIP (Deprecated) * Type 40 ? Photuris * Type 41 ? ICMP messages utilized by experimental mobility protocols such as Seamoby Other (OK) * Type 1 ? Unassigned * Type 2 ? Unassigned * Type 7 ? Unassigned * Type 19 ? Reserved (for Security) * Types 20-29 ? Reserved (for Robustness Experiment) * Types 42-252 ? Unassigned * Type 253 ? RFC3692-style Experiment 1 * Type 254 ? RFC3692-style Experiment 2 I expect/expected an alert only for the 'Other' list.. This was detected because an ICMP message with type 37 was received (and an alert generated). It is unknown what system generated that particular ICMP packet... Just for reference: config: dynamicpreprocessor directory /usr/lib/snort_** dynamicpreprocessor/ alert ( msg:"DECODE_ICMP4_TYPE_OTHER"; sid:418; gid:116; rev:1; metadata:rule-type decode; ) output alert_fast: stdout running it: $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/icmp_37.cap 2>&1 2>&1 | grep 116 07/21-15:29:41.473279 [**] [116:418:1] (snort_decoder) WARNING: ICMP4 type other [**] [Priority: 0] {ICMP} 192.168.99.111 -> 10.10.10.10 snort version: $ snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.5.3 GRE (Build 132) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/**snort-team<http://www.snort.org/snort/snort-team> Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.8 Best regards, Bram
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive? Bram (Sep 04)
- Re: decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive? Victor Roemer (Sep 06)
- Re: decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive? Bram (Sep 18)
- Re: decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive? Victor Roemer (Sep 06)