06-18-2001 02:44 PM - edited 03-08-2019 08:23 PM
We have been tracking many hits on signature 2151 and therefore many subsignatures. After we upgraded to 2.5 on our sensors we noticed a marked increase in the number of subsignatures. There are no details about these. We are attempting to better understand this icmp traffic. Is there somewhere online or off that I can get some details. We are seeing traffic from digital island with a subsignature of 81480 for instance. The particular packets are "network monitoring" packets. We have so far been unsucessful in getting an explanation from Digital Island about them. Ethereal is also unable to interpret the iplogs.
thanks,
ted
06-21-2001 02:07 PM
Ted,
The subsignature tells you what ICMP message type and length. It is type * 10000 + message length.
So a value of 81480 means:
IcmpType 8 (echo request) with an IP Data Length of 1480.
If you see a value, X < 10000, that would be a
IcmpType 0 (echo reply) where X is the IP Data Len.
Hope this helps,
Scott Cothrell
06-21-2001 04:41 PM
Ted,
There has been a similar discussion on the Focus-IDS mail list about large ICMP traffic. Here's are a couple of excerpts from some of the postings that may help you:
------
The digisle [Digital Island] packets are part of some "internet weather map" that they're doing.
I get them every few minutes from over 200 unique ip addresses, all directed at
my primary DNS server.
I found it mentioned on a few lists doing a google search:
http://www.sans.org/y2k/072500-1200.htm
http://archives.neohapsis.com/archives/iss/2000-q3/0074.html
Seems legit, but annoying.
-------------
The 1500-byte empty ICMP datagrams are usually an OS (HP-UX frequently) doing path MTU discovery. Annoying, but relatively harmless.
----------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide