Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:475 |
| Message | ICMP traceroute ipopts |
| Summary | This event is generated when a network host generates an ICMP datagram with Record Route IP options. |
| Impact | Packets containing IP Record Route options are used to emulate the functionality of traceroute. |
| Detailed Information | The Record Route IP option is used to store routing information about the path a datagram takes to its destination. ICMP ECHO packets with an IP header utilizing the Record Route option are used to emulate the functionality of traceroute. |
| Affected Systems | |
| Attack Scenarios | A remote attacker may attempt to use the Record Route IP option to determine routing information if traceroute fails. |
| Ease of Attack | Numerous tools and scripts can generate this type of datagram. |
| Corrective Action | Use ingress filtering to block incoming datagrams with the IP Record Route option. |
| Additional References | http://www.whitehats.com/info/IDS238 |
| Rule References | arachnids: 238 |
--
DID:554443
--
http://www.aanval.com/