[Snort-sigs] SID 469

warchild at ...288... warchild at ...288...
Sun Apr 28 11:48:01 EDT 2002

pcap attached


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
dsize: 0; itype: 8; reference:arachnids,162;classtype:attempted-recon;
sid:469; rev:1;)


Your sensor detected an ICMP ping that is typically generated by nmap.

This could indicate a full scan by nmap which is sometimes indicative of
potentially malicious behavior.

Detailed Information:
Nmap's ICMP ping, by default, sends zero data as part of the ping.
Nmap typically pings the host via icmp if the user has root
privileges, and uses a tcp-ping otherwise.  

Attack Scenarios:
As part of an information gathering attempt, an attacker may use nmap
to see what hosts are alive on a given network.  If nmap is used for
portscanning as root, the icmp ping will occur by default unless the
user specifies otherwise (via '-P0').

Ease of Attack:
Trivial.  Nmap requires little or no skill to operate.

False Positives:
Possible.  The only current identifying feature of nmap's ICMP ping is
that the data size is 0.  It is entirely possible that other tools may
send icmp pings with zero data.

False Negatives:
None currently.

Corrective Action:
If you detect other suspicous traffic from this host (i.e., a
portscan), follow standard procedure to assess what threat this may
pose.  If you only detect the icmp ping, this may have simply been a
'ping sweep' and may be ignored.

warchild at ...288...

Additional References:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping-nmap.tcpdump
Type: application/octet-stream
Size: 82 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020428/21e01e3b/attachment.obj>

More information about the Snort-sigs mailing list