[Snort-users] What meens IDS162 - PING Nmap2.36BETA

Kai Moritz kai at ...851...
Sat Nov 25 07:08:46 EST 2000

I'm a new snort-user and I have problems in understanding some rules!
In the past days I often found some snort-logs saying "IDS162 - PING 
Nmap2.36BETA" with various source but only one destination-host! Does this 
means that someone is doing a ping-decoy-scan with nmap on that host? And if 
that's the point: why can we detect that scan with the "dsize: 0"-Option, 
which is described to help detecting buffer-overflows?!
By the way: the "IDS162 - PING Nmap2.36BETA"-Messages always appear after 
some "Napster 8888 Data"-Warnings caused by the same host!

	-Kai Moritz

More information about the Snort-users mailing list