2151 Subsignature details

tfrohling · ‎06-18-2001

We have been tracking many hits on signature 2151 and therefore many subsignatures. After we upgraded to 2.5 on our sensors we noticed a marked increase in the number of subsignatures. There are no details about these. We are attempting to better understand this icmp traffic. Is there somewhere online or off that I can get some details. We are seeing traffic from digital island with a subsignature of 81480 for instance. The particular packets are "network monitoring" packets. We have so far been unsucessful in getting an explanation from Digital Island about them. Ethereal is also unable to interpret the iplogs.

thanks,

ted

scothrel · ‎06-21-2001

Ted,

The subsignature tells you what ICMP message type and length. It is type * 10000 + message length.

So a value of 81480 means:

IcmpType 8 (echo request) with an IP Data Length of 1480.

If you see a value, X < 10000, that would be a

IcmpType 0 (echo reply) where X is the IP Data Len.

Hope this helps,

Scott Cothrell

jsirrian · ‎06-21-2001

Ted,

There has been a similar discussion on the Focus-IDS mail list about large ICMP traffic. Here's are a couple of excerpts from some of the postings that may help you:

------

The digisle [Digital Island] packets are part of some "internet weather map" that they're doing.

I get them every few minutes from over 200 unique ip addresses, all directed at

my primary DNS server.

I found it mentioned on a few lists doing a google search:

http://www.sans.org/y2k/072500-1200.htm

http://archives.neohapsis.com/archives/iss/2000-q3/0074.html

Seems legit, but annoying.

-------------

The 1500-byte empty ICMP datagrams are usually an OS (HP-UX frequently) doing path MTU discovery. Annoying, but relatively harmless.

----------------