[Snort-users] What meens IDS162 - PING Nmap2.36BETA

James Hoagland hoagland at ...47...
Sat Nov 25 10:59:23 EST 2000


At 1:08 PM +0100 11/25/00, Kai Moritz wrote:
>Hello!
>I'm a new snort-user and I have problems in understanding some rules!
>In the past days I often found some snort-logs saying "IDS162 - PING
>Nmap2.36BETA" with various source but only one destination-host! Does this
>means that someone is doing a ping-decoy-scan with nmap on that host? And if
>that's the point: why can we detect that scan with the "dsize: 0"-Option,
>which is described to help detecting buffer-overflows?!

This is the rule that produces this alert:

alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING 
Nmap2.36BETA"; dsize: 0; itype: 8; )

It matches whenever there is an incoming ICMP packet whose data size 
of the packet is 0 and whose ICMP type is 8 (echo request I believe). 
It does not necessarily mean that someone is running Nmap on you. 
Any packet that meets the description I gave will produce the alert.

"IDSnnn" in a message means that there is information available about 
that signature on the arachNIDS database.  See 
http://www.whitehats.com and in particular 
http://www.whitehats.com/IDS/nnn.

>By the way: the "IDS162 - PING Nmap2.36BETA"-Messages always appear after
>some "Napster 8888 Data"-Warnings caused by the same host!

These are probably related.  The "IDS162 - PING Nmap2.36BETA" alert 
seems to be matching on something in the Napster protocol.

Hope this helps,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|



More information about the Snort-users mailing list