[Dshield] Ping variant 0x4545?

John Sage jsage at finchhaven.com
Mon Sep 22 14:55:23 GMT 2003


Starting to see a few of these; note that the first four bytes don't
seem to match a similar snort rule, below, FWIW...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/21-14:13:26.844522 24.81.52.49 -> 12.82.145.149
ICMP TTL:49 TOS:0x0 ID:37443 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:51270  ECHO
0x0000: 45 00 00 3C 92 43 00 00 31 01 0D 15 18 51 34 31  E..<.C..1....Q41
0x0010: 0C 52 91 95 08 00 D9 64
                                02 00 C8 46 45 45 45 45  .R.....d...FEEEE
0x0020: 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
0x0030: 45 45 45 45 45 45 45 45 45 45 45 45              EEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/21-22:02:16.383737 24.74.183.203 -> 12.82.145.149
ICMP TTL:45 TOS:0x0 ID:4080 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:30139  ECHO
0x0000: 45 00 00 3C 0F F0 00 00 2D 01 0F D5 18 4A B7 CB  E..<....-....J..
0x0010: 0C 52 91 95 08 00 2B F0
                                02 00 75 BB 45 45 45 45  .R....+...u.EEEE
0x0020: 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
0x0030: 45 45 45 45 45 45 45 45 45 45 45 45              EEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/22-04:43:48.201100 12.65.54.113 -> 12.82.145.149
ICMP TTL:51 TOS:0x0 ID:27778 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1280   Seq:18622  ECHO
0x0000: 45 00 00 3C 6C 82 00 00 33 01 3A A6 0C 41 36 71  E..<l...3.:..A6q
0x0010: 0C 52 91 95 08 00 55 ED
                                05 00 48 BE 45 45 45 45  .R....U...H.EEEE
0x0020: 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
0x0030: 45 45 45 45 45 45 45 45 45 45 45 45              EEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/22-04:43:49.651237 12.65.54.113 -> 12.82.145.149
ICMP TTL:51 TOS:0x0 ID:27910 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1280   Seq:52414  ECHO
0x0000: 45 00 00 3C 6D 06 00 00 33 01 3A 22 0C 41 36 71  E..<m...3.:".A6q
0x0010: 0C 52 91 95 08 00 D1 EC
                                05 00 CC BE 45 45 45 45  .R..........EEEE
0x0020: 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
0x0030: 45 45 45 45 45 45 45 45 45 45 45 45              EEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/22-04:43:51.631439 12.65.54.113 -> 12.82.145.149
ICMP TTL:51 TOS:0x0 ID:28068 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1280   Seq:26303  ECHO
0x0000: 45 00 00 3C 6D A4 00 00 33 01 39 84 0C 41 36 71  E..<m...3.9..A6q
0x0010: 0C 52 91 95 08 00 37 EC
                                05 00 66 BF 45 45 45 45  .R....7...f.EEEE
0x0020: 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
0x0030: 45 45 45 45 45 45 45 45 45 45 45 45              EEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


This doesn't quite seem to match this snort sig in that the first four
bytes aren't 0x00 00 00 00...

[jsage at sparky /etc/snort] $ grep '45 45' *
icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP
 webtrends scanner"; content: "|00 00 00 00 45 45 45 45 45 45 45 45
 45 45 45 45|"; itype: 8;
 icode: 0; reference:arachnids,307; classtype:attempted-recon; sid:476;
 rev:1;)



- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the list mailing list