I was troubleshooting some significant network alert messages from Cisco Security Agent and determined it was relating to HP Openview sending ICMP ECHO packets to the host. Typically, some of the security checks in CSA wouldn't alert on this, however it appears the echo packets being sent to the host are putting random data into the payload as opposed to the typical packet payload. The CSA check thought it was someone sending an ICMP covert channel payload ala Project Loki (article 6) by Mike Schiffman
and Jeremy Rauch. Its pretty funny that commercial monitoring management software sends commercial grade host intrusion prevention software into a tizzy. Also read the SANS following from SANS discussing various ICMP packets that you see from the net.
Friday, March 17, 2006
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment