#41 Fingerprint ICMP applications

open
nobody
None
5
2008-06-26
2008-06-26
Anonymous
No

Many application that send out ICMP packets can be fingerprinted by matching the ICMP Code field to some database. Xprobe does for example use 0x7b (123) for the Code field, while LanGuard uses 0x13.

It would be nice to display the application fingerprint in the Details node of a host.

Discussion

  • Logged In: NO

    It might also be a good idea to take a look at the snort signature files icmp.rules, icmp-info.rules and scan.rules to see how various ICMP-applications are behaving.