Contact:snort@islab.demokritos.gr,jpa3nos@islab.demokritos.gr

Hello dear people,

For some time now I've been working on a preprocessor for Snort. The result is spp_icmpspoof.This preprocessor is able to detect Spoofed ICMP ECHO Request/Reply packets that may exist in the inbound and outbound traffic of the network protected by snort.
Furthermore it can detect inbound/outbound packets that are generated as an answer to a spoofed ICMP ECHO Request/Reply that took place in your internal traffic or someone outside your network sent somewhere else by spoofing your IP address.
It detects spoofing when someone outside your network sends spoofed packets to someone outside or inside your network, spoofed packets sent from inside your network and other spoofing scenarios.
Every time a spoofed packet is detected an alert is generated as well as a probable case scenario describing the role and location of every host that took part in the spoofing process.
Read the README file for more info.
It was tested on a Linux RedHat 7.3 box on a snort-1.9.1 and snort-2.0.0 distribution. Some minor changes need to be done for snort-1.8.7.
I have not tested it thoroughly, but it seems to work just fine.
This preprocessor could be a way of detecting Covert Channels, Decoy Traffic, Scanning-Network Mapping, OS fingerprinting, DDoS attacks and other attacks that make use of spoofed ICMP ECHO packets.
There is still work to be done and more features to be added for the future.
Please feel free to test it and post me your comments on this and don't hesitate to ask me any questions. I'm very interested in your feedback.

The preprocessor's files can also be found at:
http://www.islab.demokritos.gr/gr/html/snort/preprocessor_icmpspoof/downloads/

Regards,
John Papapanos(Internet Systematics Lab).