Rule:

--
Sid:
446

--
Summary:
This event is generated when an ICMP "SKIP" message is generated with a non-zero ICMP code.

--
Impact:
Informational. This may indicate that the ICMP message has been crafted. 

--
Detailed Information:
An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this message should be 0.  If a non-zero code for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value.
 

--
Affected Systems:
This traffic should have no adverse impact.

--
Attack Scenarios:
An attacker may craft an ICMP "SKIP" message with an invalid ICMP code.  A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated.

--
Ease of Attack:
Simple. There are many packages available to generate ICMP messages.

--
False Positives:
Although it should be rare, it is possible to observe an ICMP "SKIP" message with an ICMP code greater than 0 if it is generated by software that does not conform to standards.

--
False Negatives:
None Known.

--
Corrective Action:
None.

--
Contributors:
Original rule writer unknown.
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

--
