[Dshield] ICMP increase

Mike Beattie webmaster at erthdra.com
Mon Aug 18 14:37:55 GMT 2003


Sorry for sounding a little lame some of this is rather new to me,
I was trying to get the full packet with tcpdump but couldn't find the
correct switches.
I just found this in the var/log/snort directory , Is this the full packet?


[**] ICMP PING CyberKit 2.2 Windows [**]
08/18-10:16:43.229405 209.214.10.59 -> 209.213.232.118
ICMP TTL:109 TOS:0x0 ID:10427 IpLen:20 DgmLen:92
Type:8  Code:0  ID:768   Seq:36576  ECHO
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Mike

-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at sans.org]
Sent: Monday, August 18, 2003 8:52 AM
To: General DShield Discussion List
Subject: Re: [Dshield] ICMP increase


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


gould you please pass along a few full packets? (either off or on list)


On Mon, 2003-08-18 at 08:47, Luke Matchett wrote:
> Johannes B. Ullrich wrote:
> 
> >This message was converted from multipart/signed to ascii armored
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Content-Type: text/plain
> >Content-Transfer-Encoding: quoted-printable
> >
> >
> >Over the last few hours, we detected a remarkable increase in ICMP
> >traffic. So far I have no idea what this is about. Any insight is
> >appreciated.
> >
> >(ICMP shows up as 'port 0' in our protocol ignorant graphs. I will try
> >and pull some protocol specific data)
> >
>
>http://www.dshield.org/port_report.php?port=0&recax=1&tarax=1&srcax=2&perce
nt=N&days=1
> >
> >
> >  
> >
> About 24 hours ago my snort logs began recording the following message 
> "ICMP PING CyberKit 2.2 Windows" . I am now seeing about 2 of these a 
> minute from various IPs. I normally get about 4 snort alerts a day.
> 
> Luke
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-------BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/QMv7R1p7hYJvB/wRAhQoAKCnNRSaWWdkavR0w6q2HMiDya2d3QCgjZT+
DSRJeg1WELrn7ig/Gwl9/M0Ss
-----END PGP SIGNATURE-----

--
SHA1
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list