11-08-2001 09:16 PM - edited 03-08-2019 09:07 PM
We are seeing multiple hits on sig. 6032 description=Modified Loki ICMP tunnelling
These are coming from 3 different source ips.
An HP openview platform, Compaq Insight, and VPN contivity management interface.
They are going to hundreds of network devices.
Could this be normal management traffic triggering these events. Or maybe 3 management platforms have been compromised!
Sub signatures are 1144, 3904 and 57418
Any idea where to read up on the sub signatures.
Thank you
11-20-2001 09:43 AM
This can be normal management traffic. We have several active ICMP devices for various reasons which trigger 6302 reliably.
11-20-2001 11:28 AM
I'm going to asssume you are running a 3.0 release of the code.
The 6302 Loki signature is triggered by an imbalance in the number of echo replies to echo requests between a fixed src and destination. Additionally these replies must have the same sequence numbers as the associated request had, and at least one must have a different payload than the associated request.
This fits the mold of something that is using ICMP echo request/replies as a covert channel for communication. The standard implementation of ICMP would call for a one to one correlation between replies and requests and the payload in the replies should be the same as the request, hence the name Echo request/Echo reply.
Unfortunately several companies for various benign reasons have decided to use ICMP as a way of communicating. These appear to be covert channels and they are, however they are benign in this case.
The subsignature IDs are the ICMP sequence numbers of the traffic that we were following that caused the alert. This would allow you to sniff your ICMP traffic and match up the offending ICMP traffic to the alarm so that you could decide if the data being communicated in the channel was benign or if it was a potentailly compromised host.
Hope this helps to shed more light on this for you.
KLW
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide