[Snort-users] ICMP Ping NMAP

Vinay A. Mahadik VAMahadik at ...6245...
Tue Jul 30 15:55:02 EDT 2002

"larosa, vjay" wrote:
> Hello Everyone,
> Unfortunately I am still working on this same problem. I do have some more
> information
> to share so maybe some one out there can help me solve this problem. Here
> are the
> characteristics,

I could be wrong but it looks like a custom traceroute-like tool to me..
perhaps your firewall blocks UDP high ports etc?..

This actually reminds of a question I think I had posted before and was
never answered.. what's the point in having signatures for *tools* of
reconnaissance (nmap, queso etc). E.g. in this case, assuming it is a
scan, and knowing that the TTL is changing, the attacker is probably
root and thus can randomize most of the headers/fields that are
irrelevant to scanning. Simply because some nice/standard scanners use
specific tags/marks shouldn't mean an IDS should include rules for all
such that are created ever? There are so many such rules in Snort.. and
I fail to see how such sigs are useful given the overhead in searching
through all (an increasing number) of them..

Any thoughts?


Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618

More information about the Snort-users mailing list