[Snort-users] What meens IDS162 - PING Nmap2.36BETA
hoagland at ...47...
Sat Nov 25 10:59:23 EST 2000
At 1:08 PM +0100 11/25/00, Kai Moritz wrote:
>I'm a new snort-user and I have problems in understanding some rules!
>In the past days I often found some snort-logs saying "IDS162 - PING
>Nmap2.36BETA" with various source but only one destination-host! Does this
>means that someone is doing a ping-decoy-scan with nmap on that host? And if
>that's the point: why can we detect that scan with the "dsize: 0"-Option,
>which is described to help detecting buffer-overflows?!
This is the rule that produces this alert:
alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING
Nmap2.36BETA"; dsize: 0; itype: 8; )
It matches whenever there is an incoming ICMP packet whose data size
of the packet is 0 and whose ICMP type is 8 (echo request I believe).
It does not necessarily mean that someone is running Nmap on you.
Any packet that meets the description I gave will produce the alert.
"IDSnnn" in a message means that there is information available about
that signature on the arachNIDS database. See
http://www.whitehats.com and in particular
>By the way: the "IDS162 - PING Nmap2.36BETA"-Messages always appear after
>some "Napster 8888 Data"-Warnings caused by the same host!
These are probably related. The "IDS162 - PING Nmap2.36BETA" alert
seems to be matching on something in the Napster protocol.
Hope this helps,
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Voice: (707) 445-4355 x13 Fax: (707) 445-4222 *|
More information about the Snort-users