[Snort-users] What meens IDS162 - PING Nmap2.36BETA
kai at ...851...
Sat Nov 25 07:08:46 EST 2000
I'm a new snort-user and I have problems in understanding some rules!
In the past days I often found some snort-logs saying "IDS162 - PING
Nmap2.36BETA" with various source but only one destination-host! Does this
means that someone is doing a ping-decoy-scan with nmap on that host? And if
that's the point: why can we detect that scan with the "dsize: 0"-Option,
which is described to help detecting buffer-overflows?!
By the way: the "IDS162 - PING Nmap2.36BETA"-Messages always appear after
some "Napster 8888 Data"-Warnings caused by the same host!
More information about the Snort-users