Re: Large ICMP Packets with strange payload

From: Eric Landuyt (ericat_private)
Date: Wed Jan 09 2002 - 09:21:04 PST

  • Next message: Nutcase_69: "Name that Trojan"

    Hello Brennan,
    
    BB> I do not like seeing strings like "arpspoof", "frag/defrag",
    BB> "stream_reassemble", "portscan", "rpc_decode", and "telnet_decode"  in Large
    BB> ICMP Packets.
    
    BB> Is this a Loki style covert communication channel, or just normal traffic?
    
    Fortunately, I think that this is not the case here.
    If I remember some preceding browsing in Snort's source code ;),
    most of the strings we found at the END OF THE  DUMP (not the end of the
    packet... I'll explain further) are identifiers/function
    names/params/... from Snort's itself.
    For example, we can find "stream4_reassemble" (relative to stream
    reassembling engine), or "spade-homenet" (relative to Spade -
    Statistical Packet Anomaly Detection Engine, a Snort preprocessor
    plugin).
    
    In the same way, we also observe some strings usually relative to
    DNS traffic, like "A.ROOT-SERVERS.NET", for example.
    
    If we look carefully at informations from the header, we can observe
    IpLen = 20 and DgmLen = 28: we can thus deduce that the exact ICMP
    datagram size was in fact 8 bytes.
    Probably, your ICMP packet was simply something like:
    00 00 00 00 00 00 00 00
    
    My personal opinion is that an eventual bug (??!!) exists in Snort's
    dump function (dumping too many bytes), and thus gave us those extra
    dump bytes, resulting in printing bytes from packets/informations
    previously stored at the address of your ICMP datagram in memory,
    and overwriten by this datagram.
    
    Hope this helps,
    --
    Eric Landuyt, Developper - mailto:ericat_private
    DataRescue sa/nv, Home of the IDA Pro Disassembler - http://www.datarescue.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 13:32:27 PST