[Snort-sigs] ICMP PING NMAP
Gisli at ...281...
Wed Jan 23 01:53:04 EST 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Rule: ICMP PING NMAP
Summary: ICMP echo request was sent to a host on your network from nmap.
Impact: Attackers may find waluable information about your hosts. Your site
may possibly be used for DOS attacks on other networks.
Detailed Information: ICMP echo request are used to test network
connectivity and are normally seen on all networks. They can be part of a
DOS attack when sent to a broadcast address and combined with a forged
source address. How your host responds to a ICMP echo request can give the
attacker an idea on what operating system the responding host is running.
Ease of Attack: Generic tools such as ping and nmap can send this type of
False Positives: Many tools including ping and most network monitoring tools
generate ICMP echo requests
Corrective Action: Verify that the packet was not malicious, and investigate
blocking certian types of ICMP traffic at your firewall.
Contributors: Gisli Helgason mailto:gh1304 at ...12...
Additional References: http://www.freesoft.org/CIE/RFC/1122/
More information about the Snort-sigs