[Snort-sigs] ICMP PING

Gisli Helgason Gisli at ...281...
Tue Jan 22 09:38:04 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: ICMP PING 

--
Sid: 384

--
Summary: ICMP echo request was sent to a host on your network.

--
Impact: Attackers may find waluable information about your hosts.  Your site
may possibly be used for DOS attacks on other networks.    

--
Detailed Information:  ICMP echo request are used to test network
connectivity and are normally seen on all networks.  They can be part of a
DOS attack when sent to a broadcast address and combined with a forged
source address.  How your host responds to a ICMP echo request can give the
attacker an idea on what operating system the responding host is running.  

--
Attack Scenarios:   

--
Ease of Attack: Very simple to use.  Tools include ping, nmap and most
network monitoring tools.

--
False Positives: Many tools including ping and most network monitoring tools
generate ICMP echo requests.

--
False Negatives:

--
Corrective Action:  All ICMP traffic should be filtered out at the perimeter
firewall.

--
Contributors:  Gisli Helgason mailto:gh1304 at ...12...

-- 
Additional References: RFC-792 http://www.freesoft.org/CIE/RFC/1122/46.htm






More information about the Snort-sigs mailing list