[Snort-sigs] Trying to detect a ping sweep

lists at ...3397... lists at ...3397...
Tue Apr 3 18:35:33 EDT 2012

On 04/03/12 16:30, Aaron Evers wrote:
> Greetings,
> I am trying to configure snort to detect a variety of network
> discovery traffic.  I'd like to be able to detect a ping sweep in the
> following manner:  a source address sends icmp echo requests to x number of
> unique destination addresses over x period of time.
> For example, a host that sends 10 pings to a single destination address
> over the course of 60 seconds does not generate an alert, but a host that
> sends 10 pings, each to a different destination address over the course of
> 60 seconds does generate an alert.  Is this possible?  I haven't been able
> to find a way with the online manual.

Hi Aaron, while completely untested, perhaps leveraging threshold and flowbits
would give you an acceptable solution.  I'm doing something similar but using
Perl and hashes across multiple SIDs to generate threshold analysis.  Since
you're wanting to constrain this to ICMP echo-request I might would try:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"CUSTOM_RULES NOALERT
Incoming ICMP Echo Request"; itype:8; flowbits:set,custom.psweep;
flowbits:noalert; threshold:type limit, track by_src, count 10, seconds 60;
classtype:icmp-event; sid:x; rev:1;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"CUSTOM_RULES ALERT Incoming
ICMP Echo Request Sweep to Multiple Hosts"; itype:8;
flowbit:isset,custom.psweep; classtype:icmp-event; threshold:type limit, track
by_dst, count 1, seconds 60;  sid:x; rev:1;)

I'm not certain this is 100% correct but hopefully it gives you some ideas or at
least points you into the right direction.  Hopefully others may be able to assist.


More information about the Snort-sigs mailing list