[Snort-users] 13 instances of ping bsd

jess at ...521... jess at ...521...
Tue Nov 28 08:12:31 EST 2000


> yes, i appreciate that, but what information, other than the presence of a 
> live host at this ip , can be gleaned from this information, also seems 
> counter productive, one ping I would have not even have bothered, but now my 
> curiosity has been aroused....

	Well, among other things, if you know exactly which IP is probing
you, you might deny that network at the routers/FWs. 

	And he cannot assume his ping will go unnoticed...

	Imagine that the attacker has compromised a "honorable" host. If
you know exactly which IP is the packet coming from, and you find out that
this is a real attack (ping to a host which should not receive it), you
might want to alert the owner of the host. And the compromise would be
unveiled.

	If you have 13 "honorable" hosts, then you almost certainly will
not send 13 messages to the host owners to say: "hey, I received a ping
from you". So the attacker will be able to pass undetected.

								JESS




More information about the Snort-users mailing list