[Snort-sigs] sig for recent massive ICMP scans

From: SoloNet Newsfeed <newsfeed(at)solo.net>
Date: Thu Sep 25 2003 - 16:43:37 EDT

I don't know if everybody else has been receiving the amount of ICMP traffic scans we have been (noticed on mutiple sensors and different ISPs) But they were triggering on false CyberKit rules. Here's a sig I'm working on that seems to match this particular issue. The recommendation from the CyberKit rule on snort.org for blocking certain ICMP traffic works liek a charm, but if you're determined to weed these folks out, here's the sig, comments are welcome.

I've seen that the packet size is always 106 bytes, this payload are is always 64. They scan the next netblock after hitting the .10 and .50 IPs of the previous class C which is the actual target of the scan. Header size is also 20 bytes.

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING

Scan Netblock (VIRUS?)";content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;) 

------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu Sep 25 17:42:24 2003