[Snort-sigs] false positive

Chris Luhman Chris.Luhman at ...2922...
Wed Dec 8 07:30:22 EST 2004


Meta 	ID #
Time
Triggered Signature

6 - 6
2004-11-09 15:04:45
[arachNIDS <http://www.whitehats.com/info/ids154> ][snort
<http://www.snort.org/snort-db/sid.html?sid=483> ] ICMP PING CyberKit
2.2 Windows

	
	Sensor
name
interface
filter


unknown:fxp0
fxp0
 none 

	
	Alert
Group
  none 

	

IP 	source addr
  dest addr  
Ver
Hdr Len
TOS
length
ID
flags
offset
TTL
chksum

10.2.2.2
10.1.1.1
4
5
0
84
41868
0
0
238
44968

	
	FQDN
Source Name
Dest. Name


 Unable to resolve address 
mail

	
	Options
    none 

	

ICMP 	type
code
checksum
id
seq #

(8) Echo Request
(0) 0
10031



	
	

Payload 	 length = 56

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
030 : AA AA AA AA AA AA AA AA                           ........	
	


GEN:SID  	 1:483
Message 	ICMP PING CyberKit 2.2 Windows
Rule 	alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA|"; depth:32; reference:arachnids,154;
classtype:misc-activity; sid:483; rev:5;)
Summary 	This event is generated when an ICMP echo request is
made from a Windows host running CyberKit 2.2 software.
Impact 	Information gathering.  An ICMP echo request can determine if a
host is active.
Detailed Information 	An ICMP echo request is used by the ping command
to elicit an ICMP echo reply from a listening live host.  An echo
request that originates from a Windows host running CyberKit 2.2
software contains a unique payload in the message request.
Affected Systems 	All
Attack Scenarios 	An attacker may attempt to determine live hosts
in a network prior to launching an attack.
Ease of Attack 	Simple
False Positives 	An ICMP echo request may be used to legimately
troubleshoot networking problems.
If you think this rule has a false positives, please help fill it out.
False Negatives 	None known.
If you think this rule has a false negatives, please help fill it out.
Corrective Action 	Block inbound ICMP echo requests.
Contributors 	Original rule written by Max Vision
<vision at ...1815...>
Documented by Steven Alexander<alexander.s at ...1565...>
Sourcefire Research Team
Judy Novak <judy.novak at ...435...>
Additional References 	http://www.whitehats.com/info/IDS154
Rule References 	arachnids: 154


The above rule is getting a false positive when a ping from BigBrother
running on Win32 (10.2.2.2) is pinging 10.1.1.1. Both systems are behind
CheckPoint firewalls. Let me know if you need more info.

Chris Luhman 
IT Administrator 
Minnesota Health Licensing Boards 
2829 University Ave SE, Suite 310 
Minneapolis, MN 55414-3222 
(612) 627-5428
(612) 627-5442 FAX 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20041208/992c7be7/attachment.html>


More information about the Snort-sigs mailing list