[Snort-users] ICMP Ping speedera

Jessup, Justin Justin.Jessup at ...194...
Fri Jul 19 09:24:09 EDT 2002


1.) My guess is that you are the victim of a DDOS
distributed denial of service attack, I would check access to your websites
if performance being degraded???
Also look around and see if some cover IRC channels are up and running on those web servers. Hackers often get into these wars where they try to kill a rival hacker group`s covert IRC server.. I would do some snooping around
Run 
Netstat -an 
On each of those systems
See who or what is actively connected with an ESTABLISHED connection


-----Original Message-----
From: /DDV=snort-users-request at lists.sourceforge.net/DDT=RFC-822/O=INETGW/P=GOV+DOJ/A=TELEMAIL/C=US/ [mailto:/DDV=snort-users-request at lists.sourceforge.net/DDT=RFC-822/O=INETGW/P=GOV+DOJ/A=TELEMAIL/C=US/] 
Sent: Friday, July 19, 2002 12:11 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #2093 - 2 msgs
Importance: Low

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. ICMP PING speedera (L. Christopher Luther)
   2. RE: ICMP PING speedera (Hicks, John)

--__--__--

Message: 1
From: "L. Christopher Luther" <CLuther at ...6333...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Date: Fri, 19 Jul 2002 11:56:21 -0400
Subject: [Snort-users] ICMP PING speedera

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C22F3C.D3B8C4C0
Content-Type: text/plain;
	charset="iso-8859-1"

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can anyone give me a good definition of what exactly a "ICMP PING
speedera" is?  Snort on is detecting *many* of these types of pings
against my web server.  

All activity is originating from different hosts during each scan
cycle, but the same group of hosts is repeated during each cycle. 
See below for a sample of this activity:

07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 ->
10.x.x.x
07/19/02-10:25:02.339568  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 ->
10.x.x.x
07/19/02-10:25:02.347032  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130
- -> 10.x.x.x
07/19/02-10:25:02.352278  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 ->
10.x.x.x
07/19/02-10:25:02.353595  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 ->
10.x.x.x
07/19/02-10:25:02.362706  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235
- -> 10.x.x.x
07/19/02-10:25:02.376253  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 ->
10.x.x.x
07/19/02-10:25:02.386243  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 ->
10.x.x.x
07/19/02-10:25:02.397752  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 ->
10.x.x.x
07/19/02-10:25:02.404776  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 ->
10.x.x.x
07/19/02-10:25:02.420922  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 ->
10.x.x.x
07/19/02-10:25:02.454157  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 ->
10.x.x.x

07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 ->
10.x.x.x
07/19/02-11:37:55.359533  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 ->
10.x.x.x
07/19/02-11:37:55.362571  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130
- -> 10.x.x.x
07/19/02-11:37:55.366961  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 ->
10.x.x.x
07/19/02-11:37:55.369756  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 ->
10.x.x.x
07/19/02-11:37:55.377139  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235
- -> 10.x.x.x
07/19/02-11:37:55.402405  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 ->
10.x.x.x
07/19/02-11:37:55.404888  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 ->
10.x.x.x
07/19/02-11:37:55.425166  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 ->
10.x.x.x
07/19/02-11:37:55.453302  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 ->
10.x.x.x
07/19/02-11:37:55.464767  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 ->
10.x.x.x


Sincerely,  

L. Christopher Luther  
Technology Manager  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther at ...6331...  
http://www.xybernautsolutions.com  

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

- ------------------------------------------------------------
Unsolicited commercial e-mail will automatically be reported
to the appropriate abuse@ - without exception.
- ------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8
evAYtpvA+WSilrl6CwKuX+Oh
=lUhN
-----END PGP SIGNATURE-----

------_=_NextPart_001_01C22F3C.D3B8C4C0
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>ICMP PING speedera</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>-----BEGIN PGP SIGNED MESSAGE-----</FONT>
<BR><FONT SIZE=2>Hash: SHA1</FONT>
</P>

<P><FONT SIZE=2>Can anyone give me a good definition of what exactly a "ICMP PING</FONT>
<BR><FONT SIZE=2>speedera" is?  Snort on is detecting *many* of these types of pings</FONT>
<BR><FONT SIZE=2>against my web server.  </FONT>
</P>

<P><FONT SIZE=2>All activity is originating from different hosts during each scan</FONT>
<BR><FONT SIZE=2>cycle, but the same group of hosts is repeated during each cycle. </FONT>
<BR><FONT SIZE=2>See below for a sample of this activity:</FONT>
</P>

<P><FONT SIZE=2>07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.339568  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.347032  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT>
<BR><FONT SIZE=2>- -> 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.352278  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.353595  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.362706  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT>
<BR><FONT SIZE=2>- -> 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.376253  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.386243  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.397752  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.404776  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.420922  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.454157  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
</P>

<P><FONT SIZE=2>07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.359533  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.362571  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT>
<BR><FONT SIZE=2>- -> 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.366961  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.369756  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.377139  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT>
<BR><FONT SIZE=2>- -> 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.402405  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.404888  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.425166  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.453302  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.464767  [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
</P>
<BR>

<P><FONT SIZE=2>Sincerely,  </FONT>
</P>

<P><FONT SIZE=2>L. Christopher Luther  </FONT>
<BR><FONT SIZE=2>Technology Manager  </FONT>
<BR><FONT SIZE=2>Xybernaut Solutions, Inc.  </FONT>
<BR><FONT SIZE=2>(703) 506-0400 x230  </FONT>
<BR><FONT SIZE=2>cluther at ...6331...  </FONT>
<BR><FONT SIZE=2><A HREF="http://www.xybernautsolutions.com" TARGET="_blank">http://www.xybernautsolutions.com</A>  </FONT>
</P>

<P><FONT SIZE=2>My PGP Public Key:  </FONT>
<BR><FONT SIZE=2><A HREF="http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88" TARGET="_blank">http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88</A></FONT>
</P>

<P><FONT SIZE=2>CONFIDENTIALITY NOTE:  This communication contains </FONT>
<BR><FONT SIZE=2>information that is confidential and/or legally privileged.  </FONT>
<BR><FONT SIZE=2>This information is intended only for the use of the individual </FONT>
<BR><FONT SIZE=2>or entity named on this communication. If you are not the </FONT>
<BR><FONT SIZE=2>intended recipient, you are hereby notified that any disclosure, </FONT>
<BR><FONT SIZE=2>copying, distribution, printing or other use of, or any action </FONT>
<BR><FONT SIZE=2>in reliance on, the contents of this communication is strictly </FONT>
<BR><FONT SIZE=2>prohibited.  If you receive this communication in error, please </FONT>
<BR><FONT SIZE=2>immediately notify us by telephone at (703) 506-0400. </FONT>
</P>

<P><FONT SIZE=2>- ------------------------------------------------------------</FONT>
<BR><FONT SIZE=2>Unsolicited commercial e-mail will automatically be reported</FONT>
<BR><FONT SIZE=2>to the appropriate abuse@ - without exception.</FONT>
<BR><FONT SIZE=2>- ------------------------------------------------------------</FONT>
</P>

<P><FONT SIZE=2>-----BEGIN PGP SIGNATURE-----</FONT>
<BR><FONT SIZE=2>Version: PGP 7.1.1</FONT>
</P>

<P><FONT SIZE=2>iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8</FONT>
<BR><FONT SIZE=2>evAYtpvA+WSilrl6CwKuX+Oh</FONT>
<BR><FONT SIZE=2>=lUhN</FONT>
<BR><FONT SIZE=2>-----END PGP SIGNATURE-----</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C22F3C.D3B8C4C0--


--__--__--

Message: 2
From: "Hicks, John" <JHicks at ...5857...>
To: "Snort Users (E-mail)" <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] ICMP PING speedera
Date: Fri, 19 Jul 2002 12:07:21 -0400

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C22F3E.5D1E9B80
Content-Type: text/plain;
	charset="iso-8859-1"

IMHO these rules are usefull in identifying specific programs doing the
pinging. My first thought woudl be monitoring applications. I had this when
I began runnign my IPCheck utility on my IDS subnet. The alert was "Delphi
Ping". I used Foundstones "bintext' utility to search for teh text string in
all binaries in the offending server, which picked up the string in my
ipcheck.exe.
 
hth,
 
John Hicks

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther at ...6333...]
Sent: Friday, July 19, 2002 11:56 AM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] ICMP PING speedera




-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

Can anyone give me a good definition of what exactly a "ICMP PING 
speedera" is?  Snort on is detecting *many* of these types of pings 
against my web server.  

All activity is originating from different hosts during each scan 
cycle, but the same group of hosts is repeated during each cycle. 
See below for a sample of this activity: 

07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-10:25:02.339568  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-10:25:02.347032  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-10:25:02.352278  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-10:25:02.353595  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-10:25:02.362706  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-10:25:02.376253  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -> 
10.x.x.x 
07/19/02-10:25:02.386243  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-10:25:02.397752  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-10:25:02.404776  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-10:25:02.420922  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-10:25:02.454157  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 

07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-11:37:55.359533  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-11:37:55.362571  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-11:37:55.366961  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-11:37:55.369756  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-11:37:55.377139  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-11:37:55.402405  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-11:37:55.404888  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-11:37:55.425166  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-11:37:55.453302  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-11:37:55.464767  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 


Sincerely,  

L. Christopher Luther  
Technology Manager  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther at ...6331...  
http://www.xybernautsolutions.com <http://www.xybernautsolutions.com>   

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get
<http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88>
&search=0x21261B88 

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

- ------------------------------------------------------------ 
Unsolicited commercial e-mail will automatically be reported 
to the appropriate abuse@ - without exception. 
- ------------------------------------------------------------ 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 7.1.1 

iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8 
evAYtpvA+WSilrl6CwKuX+Oh 
=lUhN 
-----END PGP SIGNATURE----- 


------_=_NextPart_001_01C22F3E.5D1E9B80
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ICMP PING speedera</TITLE>

<META content="MSHTML 5.50.4725.2100" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2>IMHO 
these rules are usefull in identifying specific programs doing the pinging. My 
first thought woudl be monitoring applications. I had this when I began runnign 
my IPCheck utility on my IDS subnet. The alert was "Delphi Ping". I used 
Foundstones "bintext' utility to search for teh text string in all binaries in 
the offending server, which picked up the string in my 
ipcheck.exe.</FONT></SPAN></DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff 
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff 
size=2>hth,</FONT></SPAN></DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff 
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2>John 
Hicks</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
  size=2>-----Original Message-----<BR><B>From:</B> L. Christopher Luther 
  [mailto:CLuther at ...6333...]<BR><B>Sent:</B> Friday, July 19, 2002 11:56 
  AM<BR><B>To:</B> 'snort-users at lists.sourceforge.net'<BR><B>Subject:</B> 
  [Snort-users] ICMP PING speedera<BR><BR></FONT></DIV>
  <P><FONT size=2></FONT> <BR><FONT size=2>-----BEGIN PGP SIGNED 
  MESSAGE-----</FONT> <BR><FONT size=2>Hash: SHA1</FONT> </P>
  <P><FONT size=2>Can anyone give me a good definition of what exactly a "ICMP 
  PING</FONT> <BR><FONT size=2>speedera" is?  Snort on is detecting *many* 
  of these types of pings</FONT> <BR><FONT size=2>against my web server.  
  </FONT></P>
  <P><FONT size=2>All activity is originating from different hosts during each 
  scan</FONT> <BR><FONT size=2>cycle, but the same group of hosts is repeated 
  during each cycle. </FONT><BR><FONT size=2>See below for a sample of this 
  activity:</FONT> </P>
  <P><FONT size=2>07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING 
  speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] 
  [Priority: 3] {ICMP} 64.14.117.10 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.339568  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.347032  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT size=2>- 
  -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.352278  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.353595  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.362706  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT size=2>- 
  -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.376253  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.386243  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.397752  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.404776  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.420922  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.454157  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> </P>
  <P><FONT size=2>07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING 
  speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] 
  [Priority: 3] {ICMP} 64.14.117.10 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.359533  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.362571  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT size=2>- 
  -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.366961  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.369756  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.377139  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT size=2>- 
  -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.402405  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.404888  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.425166  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.453302  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.464767  [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> </P><BR>
  <P><FONT size=2>Sincerely,  </FONT></P>
  <P><FONT size=2>L. Christopher Luther  </FONT><BR><FONT size=2>Technology 
  Manager  </FONT><BR><FONT size=2>Xybernaut Solutions, Inc.  
  </FONT><BR><FONT size=2>(703) 506-0400 x230  </FONT><BR><FONT 
  size=2>cluther at ...6331...  </FONT><BR><FONT size=2><A target=_blank 
  href="http://www.xybernautsolutions.com">http://www.xybernautsolutions.com</A>  
  </FONT></P>
  <P><FONT size=2>My PGP Public Key:  </FONT><BR><FONT size=2><A 
  target=_blank 
  href="http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88">http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88</A></FONT> 
  </P>
  <P><FONT size=2>CONFIDENTIALITY NOTE:  This communication contains 
  </FONT><BR><FONT size=2>information that is confidential and/or legally 
  privileged.  </FONT><BR><FONT size=2>This information is intended only 
  for the use of the individual </FONT><BR><FONT size=2>or entity named on this 
  communication. If you are not the </FONT><BR><FONT size=2>intended recipient, 
  you are hereby notified that any disclosure, </FONT><BR><FONT size=2>copying, 
  distribution, printing or other use of, or any action </FONT><BR><FONT 
  size=2>in reliance on, the contents of this communication is strictly 
  </FONT><BR><FONT size=2>prohibited.  If you receive this communication in 
  error, please </FONT><BR><FONT size=2>immediately notify us by telephone at 
  (703) 506-0400. </FONT></P>
  <P><FONT size=2>- 
  ------------------------------------------------------------</FONT> <BR><FONT 
  size=2>Unsolicited commercial e-mail will automatically be reported</FONT> 
  <BR><FONT size=2>to the appropriate abuse@ - without exception.</FONT> 
  <BR><FONT size=2>- 
  ------------------------------------------------------------</FONT> </P>
  <P><FONT size=2>-----BEGIN PGP SIGNATURE-----</FONT> <BR><FONT size=2>Version: 
  PGP 7.1.1</FONT> </P>
  <P><FONT 
  size=2>iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8</FONT> 
  <BR><FONT size=2>evAYtpvA+WSilrl6CwKuX+Oh</FONT> <BR><FONT size=2>=lUhN</FONT> 
  <BR><FONT size=2>-----END PGP SIGNATURE-----</FONT> 
</P></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C22F3E.5D1E9B80--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list