Hello Brennan, BB> I do not like seeing strings like "arpspoof", "frag/defrag", BB> "stream_reassemble", "portscan", "rpc_decode", and "telnet_decode" in Large BB> ICMP Packets. BB> Is this a Loki style covert communication channel, or just normal traffic? Fortunately, I think that this is not the case here. If I remember some preceding browsing in Snort's source code ;), most of the strings we found at the END OF THE DUMP (not the end of the packet... I'll explain further) are identifiers/function names/params/... from Snort's itself. For example, we can find "stream4_reassemble" (relative to stream reassembling engine), or "spade-homenet" (relative to Spade - Statistical Packet Anomaly Detection Engine, a Snort preprocessor plugin). In the same way, we also observe some strings usually relative to DNS traffic, like "A.ROOT-SERVERS.NET", for example. If we look carefully at informations from the header, we can observe IpLen = 20 and DgmLen = 28: we can thus deduce that the exact ICMP datagram size was in fact 8 bytes. Probably, your ICMP packet was simply something like: 00 00 00 00 00 00 00 00 My personal opinion is that an eventual bug (??!!) exists in Snort's dump function (dumping too many bytes), and thus gave us those extra dump bytes, resulting in printing bytes from packets/informations previously stored at the address of your ICMP datagram in memory, and overwriten by this datagram. Hope this helps, -- Eric Landuyt, Developper - mailto:ericat_private DataRescue sa/nv, Home of the IDA Pro Disassembler - http://www.datarescue.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 13:32:27 PST