Re: Large ICMP Packets with strange payload

From: Russell Fulton (R.FULTONat_private)
Date: Wed Jan 09 2002 - 14:04:02 PST

  • Next message: Gamble: "Re: Machine compromised"

    On Thu, 2002-01-10 at 06:21, Eric Landuyt wrote:
    > Hello Brennan,
    > 
    > BB> I do not like seeing strings like "arpspoof", "frag/defrag",
    > BB> "stream_reassemble", "portscan", "rpc_decode", and "telnet_decode"  in Large
    > BB> ICMP Packets.
    > 
    > BB> Is this a Loki style covert communication channel, or just normal traffic?
    > 
    > Fortunately, I think that this is not the case here.
    > If I remember some preceding browsing in Snort's source code ;),
    > most of the strings we found at the END OF THE  DUMP (not the end of the
    > packet... I'll explain further) are identifiers/function
    > names/params/... from Snort's itself.
    > For example, we can find "stream4_reassemble" (relative to stream
    > reassembling engine), or "spade-homenet" (relative to Spade -
    > Statistical Packet Anomaly Detection Engine, a Snort preprocessor
    > plugin).
    > 
    
    There are bugs in the stream4 reassembling whereby snort gets the lengths wrong
    and this causes 'garbage' to be appended to the packets before they go
    through the packet matching engine and logging.  Marty made some changes 
    yesterday which are in the latest 1.8.3 branch of the CVS.  I have not yet tried out this
    version as I can not figure out how to get the 1.8.3 branch from the CVS.
    
    -- 
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:51:18 PST