Sophie

Sophie

distrib > Mandriva > 2006.0 > x86_64 > by-pkgid > 56c5837d9d111437878acba01e4df73e > files > 2472

snort-2.3.3-2.3.20060mdk.x86_64.rpm

Rule:

--
Sid:
385

--
Summary:
This event is generated when a Windows traceroute (tracert) is detected.

--
Impact:
Information gathering.  A traceroute can be used to discover live hosts and network topologies.

--
Detailed Information:
A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topolgies.  The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host.  Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit.  A router sends this ICMP error message to the host running traceroute.  The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. 

Additionally There are at least three different implementations of 
traceroute.  In one implementation traceroute works by sending an ICMP 
Echo Request packet to a destination host with a TTL value of 1.  If the
host is more than one hop away, the first route that receives the back 
will send back an ICMP packet indicating that the TTL was exceeded.  The
address of this router is then listed as the first hop.  The packet is 
then sent out again with a TTL of 2.  This continues until the 
destination host is able to reply or some maximum TTL value is reached.

The other two implementations use the same TTL-based concept with an
ICMP type of 30(traceroute) or with an UDP packet destined for an
ephemeral port.

--
Affected Systems:
All

--
Attack Scenarios:
An attacker may use a traceroute to discover live hosts and routers on a target network in preparation for an attack.

--
Ease of Attack:
Simple

--
False Positives:
The traceroute command may be used to legitimately troubleshoot networking problems.

--
False Negatives:
None known

--
Corrective Action:
Block inbound ICMP echo requests.

--
Contributors:
Original Rule Writer Max Vision <vision@whitehats.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by  by Steven Alexander<alexander.s@mccd.edu>

--
Additional References:

Arachnids:
http://www.whitehats.com/info/IDS118

--

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional