[Snort-sigs] SID 469

warchild at ...288... warchild at ...288...
Sun Apr 28 11:48:01 EDT 2002


pcap attached

#####

--
Rule:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
dsize: 0; itype: 8; reference:arachnids,162;classtype:attempted-recon;
sid:469; rev:1;)

--
Sid:
469

--
Summary:
Your sensor detected an ICMP ping that is typically generated by nmap.

--
Impact:
This could indicate a full scan by nmap which is sometimes indicative of
potentially malicious behavior.

--
Detailed Information:
Nmap's ICMP ping, by default, sends zero data as part of the ping.
Nmap typically pings the host via icmp if the user has root
privileges, and uses a tcp-ping otherwise.  

--
Attack Scenarios:
As part of an information gathering attempt, an attacker may use nmap
to see what hosts are alive on a given network.  If nmap is used for
portscanning as root, the icmp ping will occur by default unless the
user specifies otherwise (via '-P0').

--
Ease of Attack:
Trivial.  Nmap requires little or no skill to operate.

--
False Positives:
Possible.  The only current identifying feature of nmap's ICMP ping is
that the data size is 0.  It is entirely possible that other tools may
send icmp pings with zero data.

--
False Negatives:
None currently.

--
Corrective Action:
If you detect other suspicous traffic from this host (i.e., a
portscan), follow standard procedure to assess what threat this may
pose.  If you only detect the icmp ping, this may have simply been a
'ping sweep' and may be ignored.

--
Contributors:
warchild at ...288...

-- 
Additional References:
www.insecure.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping-nmap.tcpdump
Type: application/octet-stream
Size: 82 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020428/21e01e3b/attachment.obj>


More information about the Snort-sigs mailing list