[Snort-users] ICMP Ping NMAP

larosa, vjay larosa_vjay at ...3331...
Tue Jul 30 17:27:07 EDT 2002


Hi Vinay,

I know that this traffic appears to look like some sort of traceroute, but I
don't
believe that it is. This traffic is coming from way to many hosts destined
to the same 
host. The traffic is also not repeting over in any way (9 packets and that's
it). I am starting to think that it has something to do with when a user is
logging in to my network, maybe something like AOL trying to see if it can
contact the AOL network maybe?

vjl

-----Original Message-----
From: Vinay A. Mahadik [mailto:VAMahadik at ...6245...]
Sent: Tuesday, July 30, 2002 6:54 PM
To: larosa, vjay
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] ICMP Ping NMAP


"larosa, vjay" wrote:
> 
> Hello Everyone,
> 
> Unfortunately I am still working on this same problem. I do have some more
> information
> to share so maybe some one out there can help me solve this problem. Here
> are the
> characteristics,
> 

I could be wrong but it looks like a custom traceroute-like tool to me..
perhaps your firewall blocks UDP high ports etc?..

This actually reminds of a question I think I had posted before and was
never answered.. what's the point in having signatures for *tools* of
reconnaissance (nmap, queso etc). E.g. in this case, assuming it is a
scan, and knowing that the TTL is changing, the attacker is probably
root and thus can randomize most of the headers/fields that are
irrelevant to scanning. Simply because some nice/standard scanners use
specific tags/marks shouldn't mean an IDS should include rules for all
such that are created ever? There are so many such rules in Snort.. and
I fail to see how such sigs are useful given the overhead in searching
through all (an increasing number) of them..

Any thoughts?

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list