some time now I've been working on a preprocessor for Snort. The
result is spp_icmpspoof.This preprocessor is able to detect Spoofed
ICMP ECHO Request/Reply packets that may exist in the inbound and
outbound traffic of the network protected by snort.
Furthermore it can detect inbound/outbound packets that are generated
as an answer to a spoofed ICMP ECHO Request/Reply that took place
in your internal traffic or someone outside your network sent somewhere
else by spoofing your IP address.
It detects spoofing when someone outside your network sends spoofed
packets to someone outside or inside your network, spoofed packets
sent from inside your network and other spoofing scenarios.
Every time a spoofed packet is detected an alert is generated as
well as a probable case scenario describing the role and location
of every host that took part in the spoofing process.
Read the README file for more info.
It was tested on a Linux RedHat 7.3 box on a snort-1.9.1 and snort-2.0.0
distribution. Some minor changes need to be done for snort-1.8.7.
I have not tested it thoroughly, but it seems to work just fine.
This preprocessor could be a way of detecting Covert Channels, Decoy
Traffic, Scanning-Network Mapping, OS fingerprinting, DDoS attacks
and other attacks that make use of spoofed ICMP ECHO packets.
There is still work to be done and more features to be added for
Please feel free to test it and post me your comments on this and
don't hesitate to ask me any questions. I'm very interested in your
The preprocessor's files can also be found at:
John Papapanos(Internet Systematics Lab).