[Snort-users] ICMP Ping NMAP

larosa, vjay larosa_vjay at ...3331...
Tue Jul 30 14:33:04 EDT 2002


Hello Everyone,

Unfortunately I am still working on this same problem. I do have some more
information
to share so maybe some one out there can help me solve this problem. Here
are the
characteristics,

1) Thousands of ICMP NMAP ping events per day are being triggered.
2) Each ICMP packet has NO payload.
3) The TTL of the first packet is always 1, then 8 more are sent each 
   incrementing the TTL until it reaches 9 ( I had previously stated the
reverse, sorry).
4) ICMP ID always has a gap between the first two packets, then the next 7
packet's ICMP
   ID's increment by 1.
5) Several hundred systems are all targeting two to 4 IP addresses.
Primarily 1 with
   these types of packets.
6) These are all Windows based PC's (So this is not firewalking).
7) There is no traffic being sent back from the DST address.

Here is a tcpdump of the traffic.

15:58:08.216796 X.X.58.46 > X.X.6.192: icmp: echo request [ttl 1] (id 22817,
len 28)
15:58:12.812741 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 2, id 22891,
len 28)
15:58:18.040037 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 3, id 23009,
len 28)
15:58:18.041442 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 4, id 23010,
len 28)
15:58:18.043954 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 5, id 23011,
len 28)
15:58:18.046171 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 6, id 23012,
len 28)
15:58:18.048413 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 7, id 23013,
len 28)
15:58:18.056783 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 8, id 23014,
len 28)
15:58:18.065525 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 9, id 23016,
len 28)
16:00:12.399997 X.X.110.34 > X.X.6.192: icmp: echo request [ttl 1] (id 1901,
len 28)
16:00:16.913454 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 2, id 1912,
len 28)
16:00:21.429071 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 3, id 1922,
len 28)
16:00:21.436093 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 4, id 1923,
len 28)
16:00:21.438885 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 5, id 1924,
len 28)
16:00:21.441510 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 6, id 1925,
len 28)
16:00:21.444096 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 7, id 1926,
len 28)
16:00:21.452851 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 8, id 1927,
len 28)
16:00:21.461777 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 9, id 1928,
len 28)

If anybody has any ideas as to what may cause this traffic I would
appreciate
any input. 

vjl





More information about the Snort-users mailing list