[Snort-sigs] ICMP PING
Gisli at ...281...
Tue Jan 22 09:38:04 EST 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Rule: ICMP PING
Summary: ICMP echo request was sent to a host on your network.
Impact: Attackers may find waluable information about your hosts. Your site
may possibly be used for DOS attacks on other networks.
Detailed Information: ICMP echo request are used to test network
connectivity and are normally seen on all networks. They can be part of a
DOS attack when sent to a broadcast address and combined with a forged
source address. How your host responds to a ICMP echo request can give the
attacker an idea on what operating system the responding host is running.
Ease of Attack: Very simple to use. Tools include ping, nmap and most
network monitoring tools.
False Positives: Many tools including ping and most network monitoring tools
generate ICMP echo requests.
Corrective Action: All ICMP traffic should be filtered out at the perimeter
Contributors: Gisli Helgason mailto:gh1304 at ...12...
Additional References: RFC-792 http://www.freesoft.org/CIE/RFC/1122/46.htm
More information about the Snort-sigs