[Snort-sigs] SID 378, 13 of 20

Steven Alexander alexander.s at ...1565...
Mon Jun 9 09:47:05 EDT 2003


Rule:  
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
Ping-O-MeterWindows"; content:"|4f4d 6574 6572 4f62 6573 6541 726d
6164|"; itype:8; depth:32; reference:arachnids,164; sid:378;
classtype:misc-activity; rev:4;) 
--
Sid:

378

--
Summary:

ping is a standard networking utility that determines if a target host
is up. This rule indicates that the ping originated from a host running
Ping-O-Meter on Microsoft Windows.

--
Impact:

Can be used as a reconnaissance tool.

--
Detailed Information:

ping sends an ICMP Echo Request packet to an IP address.  If a host is
up at that address it will reply with an ICMP Echo Reply.  The reply
includes the data portion of the echo packet.  The data included in the
Echo Request varies across different implementations.

--
Affected Systems:

All
--
Attack Scenarios:

An attacker will often ping a machine to make sure it is up before
attacking.  

--
Ease of Attack:
Very Simple

--
False Positives:
This program is also used legitimately by users and/or network
administrators to troubleshoot problems.  It is possible to emulate this
ping signature using another ping utility.

--
False Negatives:

None known.
--
Corrective Action:

ICMP packets can be blocked with a firewall.

--
Contributors:
Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:

http://www.whitehats.com/info/IDS164




More information about the Snort-sigs mailing list