421.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--

Sid:
421

--

Summary:
This event is generated when a network host generates an ICMP Mobile Registration Reply datagram.

--

Impact:
ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message.  ICMP Type 36 datagrams should never be seen in normal network conditions.

--

Detailed Information:
ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4).  Therefore these types of ICMP datagrams should never be seen in normal networking conditions.  

--

Attack Scenarios:
None known

--

Ease of Attack:
Numerous tools and scripts can generate this type of ICMP datagram.

--

False Positives:
None known

--

False Negatives:
None known
--

Corrective Action:
ICMP Type 36 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for nefarious activity

--

Contributors:
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski (matt.watchinski@sourcefire.com)

--

Additional References:
None


--