File: 456.txt

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (75 lines) | stat: -rw-r--r-- 1,571 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Rule:

--
Sid:
456

--
Summary:
This event is generated when an attempt is made to use ICMP as a
reconnaisance tool.

--
Impact:
Can be used as a reconnaissance tool.  Traceroute reveals information
about the layout of a network.

--
Detailed Information:
There are at least three different implementations of traceroute.  In
one implementation traceroute works by sending an ICMP Echo Request
packet to a destination host with a TTL value of 1.  If the host is more
than one hop away, the first route that receives the back will send back
an ICMP packet indicating that the TTL was exceeded.  The address of
this router is then listed as the first hop.  The packet is then sent
out again with a TTL of 2.  This continues until the destination host is
able to reply or some maximum TTL value is reached.

The other two implementations use the same TTL-based concept with an
ICMP type of 30(traceroute) or with an UDP packet destined for an
ephemeral port.

--
Affected Systems:
All

--
Attack Scenarios:

Traceroute is often used against machines on a network prior to an
attack.

--
Ease of Attack:
Simple

--
False Positives:

--
False Negatives:
None known.

--
Corrective Action:
Block inbound ICMP type 30 messages.

--
Contributors:
Original Rule Writer Max Vision <vision@whitehats.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by  by Steven Alexander<alexander.s@mccd.edu>

--
Additional References:

Miscellaneous
http://www.faqs.org/rfcs/rfc1393.html





--