448.txt

来自「This is the snapshot of Snot Latest Rule」· 文本 代码 · 共 59 行

Rule:

--
Sid:
448

--
Summary:
This event is generated when an ICMP "Source Quench" message is generated that has a non-zero ICMP code.  

--
Impact:
Informational.  This may indicate that the ICMP message has been crafted.

--
Detailed Information:
An ICMP "Source Quench" message is issued by a network device that cannot handle the current volume of traffic.  The ICMP code value for this message should be 0.  If a non-zero ICMP code is observed, it may be an indication that the packet was crafted with an invalid value.

ICMP Source Quench messages may be normally sent by either a gateway or a host as a congestion control mechanism. A gateway would send them if it is running out of buffer space (needed to queue datagrams for output to the next hop) or by a host that is receiving datagrams too fast to process. Maliciously crafted ICMP Source Quench Messages may be used to force a remote host to slow down its transmission rate and causing a Denial of Service.

--
Affected Systems:
This traffic should have no adverse impact.

--
Attack Scenarios:
An attacker may craft an ICMP "Source Quench" message with an invalid ICMP code.  A single packet itself is not harmful, but the unusual ICMP code my indicate that this packet was abnormally generated.

--
Ease of Attack:
Simple. There are many packages available to generate ICMP messages.

--
False Positives:
Although rare, it is possible to observe an ICMP "Source Quench" message with a non-zero type code generated by software that does not conform to standards.

--
False Negatives:
None Known.

--
Corrective Action:
If a routing device in your network is generating this message, investigate why it does not have a standard ICMP code of 0.

--
Contributors:
Original rule writer unknown.
Sourcefire Vulnerability Research Team
Judy Novak <judy.novak@sourcefire.com>
Additional information by Jose Hernandez <jrseal76@hotmail.com>

--
Additional References:

OSVDB:
http://www.osvdb.org/15618

--