[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: RE: [Snort-users] question ? -> (MISC Large ICMP Packet)
From: "Ofir Arkin" <ofir () sys-security ! com>
Date: 2001-12-31 0:46:23
[Download RAW message or body]
Well,
I can answer for the first part [the /var/log/snort/alert ICMP entry].
NMAP starts ANY scan by sending an ICMP echo request without any payload
to the target. No “legal” ICMP echo request is being sent without a
payload this is the reason you see the entry in /var/log/snort/alert for
suspicious activity.
For the SYN stealth scan you produced with NMAP:
When you produce a SYN stealth scan with NMAP, it sends a SYN request to
a targeted port (your case TCP 5000).
Than NMAP sends a SYN request to the port. If the port is closed you
will receive a RST back. If not you will receive a SYN/ACK and NMAP will
respond with a RST to tear down the connection.
Hope this helps
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of cdowns
Sent: à 30 ãöîáø 2001 18:08
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] question ? -> (MISC Large ICMP Packet)
Morning All,
Out of curiosity I decided to check my network for port 5000 tcp.
Just for the hell of it and to see how Snort will react to someone
snooping for the new Xsploit.c tcp 5000 windows ME/XP remote DOS/Shell.
here I used a really basic NMAP Stealth Syn scan and here is the reply
in the /var/log/snort/alert:
Scan:
blasphemy# nmap -sS -p 5000 64.28.89.32/27
Logged:
[**] [1:499:1] MISC Large ICMP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/30-12:56:06.091068 24.128.143.28 -> 64.28.89.63
ICMP TTL:17 TOS:0x0 ID:26834 IpLen:20 DgmLen:28
Type:8 Code:0 ID:32253 Seq:156 ECHO
[Xref => http://www.whitehats.com/info/IDS246]
Obviously I deny all Traffic to these high ports but stumped to the
output. Can anyone explain why Snort does not see a NMAP Syn scan or
does stealth mode actually work ?
thanks,
~>D
[Attachment #3 (text/html)]
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1255">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="cid:filelist.xml@01C19194.921CE8C0">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;
text-underline:single;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=EN-US link=blue vlink=blue style='tab-interval:36.0pt'>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Well,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I can answer for the first part [the
/var/log/snort/alert ICMP entry].<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>NMAP starts ANY scan by sending an ICMP echo
request without any payload to the target. No “legal” ICMP echo request is
being sent without a payload this is the reason you see the entry in
/var/log/snort/alert for suspicious activity.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>For the SYN stealth scan you produced with
NMAP:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>When you produce a SYN stealth scan with
NMAP, it sends a SYN request to a targeted port (your case TCP \
5000).<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Than NMAP sends a SYN request to the port.
If the port is closed you will receive a RST back. If not you will receive a SYN/ACK
and NMAP will respond with a RST to tear down the \
connection.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hope this helps<o:p></o:p></span></font></p>
<div>
<p><font size=2 color=navy face="Times New Roman"><span style='font-size:10.0pt;
color:navy;mso-no-proof:yes'>Ofir Arkin [ofir@sys-security.com]<br>
Founder<br>
The Sys-Security Group<br>
<a href="http://www.sys-security.com">http://www.sys-security.com</a><br>
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA </span></font><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-left:36.0pt'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b>
snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] <b><span style='font-weight:
bold'>On Behalf Of </span></b>cdowns<br>
<b><span style='font-weight:bold'>Sent:</span></b> <span lang=HE \
dir=RTL>à</span><span dir=LTR></span><span dir=LTR></span> 30 <span lang=HE \
dir=RTL>ãöîáø</span><span dir=LTR></span><span dir=LTR></span> 2001 18:08<br>
<b><span style='font-weight:bold'>To:</span></b>
snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Snort-users] question ?
-> (MISC Large ICMP Packet)</span></font></p>
<p class=MsoNormal style='margin-left:36.0pt'><font size=3
face="Times New Roman"><span \
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:36.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Morning All, <br>
Out of curiosity I decided to check my network for port 5000
tcp. Just for the hell of it and to see how Snort will react to someone
snooping for the new Xsploit.c tcp 5000 windows ME/XP remote DOS/Shell.
here I used a really basic NMAP Stealth Syn scan and here is the reply in the
/var/log/snort/alert: <o:p></o:p></span></font></p>
<p style='margin-left:36.0pt'><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:bold'>Scan:</span></font></b> <br>
blasphemy# nmap -sS -p 5000 64.28.89.32/27 <o:p></o:p></p>
<p style='margin-left:36.0pt'><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:bold'>Logged:</span></font></b> <br>
[**] [1:499:1] MISC Large ICMP Packet [**] <br>
[Classification: Potentially Bad Traffic] [Priority: 2] <br>
12/30-12:56:06.091068 24.128.143.28 -> 64.28.89.63 <br>
ICMP TTL:17 TOS:0x0 ID:26834 IpLen:20 DgmLen:28 <br>
Type:8 Code:0 ID:32253 Seq:156 ECHO <br>
[Xref => <a href="http://www.whitehats.com/info/IDS246">http://www.whitehats.com/info/IDS246</a>]
<o:p></o:p></p>
<p style='margin-left:36.0pt'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Obviously I deny all Traffic to these high ports but
stumped to the output. Can anyone explain why Snort does not see a NMAP
Syn scan or does stealth mode actually work ? <o:p></o:p></span></font></p>
<p style='margin-left:36.0pt'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>thanks, <br>
~>D<o:p></o:p></span></font></p>
</div>
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic