[Snort-users] ICMP Ping NMAP

Vinay A. Mahadik VAMahadik at ...6245...
Tue Jul 30 15:55:02 EDT 2002


"larosa, vjay" wrote:
> 
> Hello Everyone,
> 
> Unfortunately I am still working on this same problem. I do have some more
> information
> to share so maybe some one out there can help me solve this problem. Here
> are the
> characteristics,
> 

I could be wrong but it looks like a custom traceroute-like tool to me..
perhaps your firewall blocks UDP high ports etc?..

This actually reminds of a question I think I had posted before and was
never answered.. what's the point in having signatures for *tools* of
reconnaissance (nmap, queso etc). E.g. in this case, assuming it is a
scan, and knowing that the TTL is changing, the attacker is probably
root and thus can randomize most of the headers/fields that are
irrelevant to scanning. Simply because some nice/standard scanners use
specific tags/marks shouldn't mean an IDS should include rules for all
such that are created ever? There are so many such rules in Snort.. and
I fail to see how such sigs are useful given the overhead in searching
through all (an increasing number) of them..

Any thoughts?

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list