[Snort-sigs] Re: FP: sid: 469 - ICMP PING NMAP

Nigel Houghton nigel at ...435...
Fri Mar 31 09:08:02 EST 2006

 0, jynx <jynx at ...3213...>:
> I have noticed a false pos from Win2k PCs talking to MS Active Directory
> Servers. Below is the missing template information.
> --
> False Positives:        Workstations communicating with Microsoft Active
> Directory Servers will cause false positives for this sid.

Thank you for your report, here is the full false positive information
that already exists in the document:


False Positives:
Possible.  The only current identifying feature of nmap's ICMP ping is
that the data size is 0.  It is entirely possible that other tools may
send icmp pings with zero data.

Kontiki delivery manager used on windows platforms to download
multimedia files is known to produce ICMP pings that can cause this
rule to generate many events.

avast! antivirus update feature is reported to produce ICMP pings with
zero data when connecting to the avast servers. This can occur every 40
seconds if no reply is received by the client.

The avast! client attempts to ping one of the following servers:

URL: http://www.asw.cz/iavs4pro

URL: http://www.avast.com/iavs4pro

URL: http://www.iavs.net/iavs4pro

URL: http://www.iavs.cz/iavs4pro


If your information can be verified, we will add it to the document.
Please make sure your variables are set correctly, the rule is designed
to only generate an event from hosts outside the internal network, if
the PCs in question are outside the HOME_NET and the AD server is on the
HOME_NET, this may be the cause of the false positive event.

     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.

More information about the Snort-sigs mailing list