[Snort-users] What meens IDS162 - PING Nmap2.36BETA

Mikael Schmidt mikael.schmidt at ...718...
Mon Nov 27 04:33:58 EST 2000


When you do a search with Napster you will get a ping time, this is how it's 
done and that is why it's showing up. If I were you I'd change both this rule 
and all Napster rules to log since you seem to be allowing Napster traffic.


On Saturday 25 November 2000 15:59, James Hoagland wrote:
> At 1:08 PM +0100 11/25/00, Kai Moritz wrote:
> >Hello!
> >I'm a new snort-user and I have problems in understanding some rules!
> >In the past days I often found some snort-logs saying "IDS162 - PING
> >Nmap2.36BETA" with various source but only one destination-host! Does this
> >means that someone is doing a ping-decoy-scan with nmap on that host? And
> > if that's the point: why can we detect that scan with the "dsize:
> > 0"-Option, which is described to help detecting buffer-overflows?!
>
> This is the rule that produces this alert:
>
> alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING
> Nmap2.36BETA"; dsize: 0; itype: 8; )
>
> It matches whenever there is an incoming ICMP packet whose data size
> of the packet is 0 and whose ICMP type is 8 (echo request I believe).
> It does not necessarily mean that someone is running Nmap on you.
> Any packet that meets the description I gave will produce the alert.
>
> "IDSnnn" in a message means that there is information available about
> that signature on the arachNIDS database.  See
> http://www.whitehats.com and in particular
> http://www.whitehats.com/IDS/nnn.
>
> >By the way: the "IDS162 - PING Nmap2.36BETA"-Messages always appear after
> >some "Napster 8888 Data"-Warnings caused by the same host!
>
> These are probably related.  The "IDS162 - PING Nmap2.36BETA" alert
> seems to be matching on something in the Napster protocol.
>
> Hope this helps,
>
>    Jim

-- 
Mikael Schmidt - mikael.schmidt at ...718...
tfn:	+46(0)46 - 222 47 35
mob:	+46(0)707 - 46 60 56



More information about the Snort-users mailing list