[Snort-users] False PING NMAP TCP (still)

Laurie Zirkle lat at ...214...
Mon Aug 7 12:19:02 EDT 2000


I pulled the 07272k.rules set from snort.org and restarted on this
particular machine.  I'm still seeing what I'm told are false alarms
for this one.  

Aug  7 11:13:09 milo.cns.vt.edu snort[15718]: IDS28 - PING NMAP TCP: 205.128.11.157:80 -> 198.82.247.98:53
Aug  7 11:13:09 milo.cns.vt.edu snort[15718]: IDS28 - PING NMAP TCP: 205.128.11.157:53 -> 198.82.247.98:53
------
[**] IDS28 - PING NMAP TCP [**]
08/07-11:13:09.459894 205.128.11.157:80 -> 198.82.247.98:53
tcp TTL:44 TOS:0x0 ID:31206 
******A* Seq: 0x1C7   Ack: 0x0   Win: 0x578

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS28 - PING NMAP TCP [**]
08/07-11:13:09.460034 205.128.11.157:53 -> 198.82.247.98:53
tcp TTL:44 TOS:0x0 ID:31207 
******A* Seq: 0x1C8   Ack: 0x0   Win: 0x578
------

I had contacted the source last week when I saw this using the older rules
from June, and received this response:

The probes are sent from our geographic load balancing
devices, trying to determine your proximity and latency to our
different locations.  This is by design.

--
Laurie



More information about the Snort-users mailing list