[Snort-users] False PING NMAP TCP (still)

Bill Marquette wlmarque at ...8...
Mon Aug 7 13:29:01 EDT 2000

This is probably more F5 crap.  As if there wasn't enough of an outcry about
demon.co.uk, F5 has to introduce a product that sends out
 version.bind, queries for "." and various other crap.  99% of our VERSION.BIND
and "." queries these days are people using F5 products.
The last communication I had with them held an ominous (not quoted verbatim,
just from memory):
     We are incorporating more "stealth" features into the F5 product to get
around firewalls and IDS
Apparently those "stealth" features aren't working too well.  Personally, (I
can't implement this policy, or I would) I'd just firewall out every
known F5 system on the net.  Global load balancing would be nice, but do they
have to be so damn noisy about it?  Of course the replies I
got were "no, it's an _option_", apparently one that everyone turns on *sigh*.

Laurie, fyi F5, BigIP and 3DNS, both I believe have an "exclusion list" so you
should feel well within your rights to request to be excluded
from their load balancing methods.


From: Laurie Zirkle <lat at ...214...> on 08/07/2000 11:19 AM
>I pulled the 07272k.rules set from snort.org and restarted on this
>particular machine.  I'm still seeing what I'm told are false alarms
>for this one.

>Aug  7 11:13:09 milo.cns.vt.edu snort[15718]: IDS28 - PING NMAP TCP: ->
>Aug  7 11:13:09 milo.cns.vt.edu snort[15718]: IDS28 - PING NMAP TCP: ->
>[**] IDS28 - PING NMAP TCP [**]
>08/07-11:13:09.459894 ->
>tcp TTL:44 TOS:0x0 ID:31206
>******A* Seq: 0x1C7   Ack: 0x0   Win: 0x578
>[**] IDS28 - PING NMAP TCP [**]
>08/07-11:13:09.460034 ->
>tcp TTL:44 TOS:0x0 ID:31207
>******A* Seq: 0x1C8   Ack: 0x0   Win: 0x578
>I had contacted the source last week when I saw this using the older rules
>from June, and received this response:
>The probes are sent from our geographic load balancing
>devices, trying to determine your proximity and latency to our
>different locations.  This is by design.

More information about the Snort-users mailing list