[Snort-sigs] ICMP PING Delphi-Piette Windows

Gisli Helgason Gisli at ...281...
Wed Jan 23 01:42:02 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: ICMP PING Delphi-Piette Windows
--
Sid: 372

--
Summary: ICMP echo request was sent to a host on your network from ICMP PING
Delphi-Piette for Windows. 

--
Impact: Attackers may find waluable information about your hosts. Your site
may possibly be used for DOS attacks on other networks. 

--
Detailed Information: ICMP echo request are used to test network
connectivity and are normally seen on all networks. They can be part of a
DOS attack when sent to a broadcast address and combined with a forged
source address. How your host responds to a ICMP echo request can give the
attacker an idea on what operating system the responding host is running. 

--
Attack Scenarios:

--
Ease of Attack: Generic tools such as ping and nmap can send this type of
packet. 

--
False Positives: Many tools including ping and most network monitoring tools
generate ICMP echo requests

--
False Negatives:

--
Corrective Action: Verify that the packet was not malicious, and investigate
blocking certian types of ICMP traffic at your firewall.  

--
Contributors: Gisli Helgason mailto:gh1304 at ...12...

-- 
Additional References: http://www.freesoft.org/CIE/RFC/1122/





More information about the Snort-sigs mailing list