[Snort-users] ICMP PING NMAP

Bill McCarty bmccarty at ...5196...
Wed Mar 20 23:58:02 EST 2002

I've had several ICMP PING NMAP alerts the last two days. These appear to 
be coming from a Macintosh host on our campus. At least once, this same 
host has tweaked TCP/548 (Appletalk), which seems to confirm its nature.

Thing is, nmap isn't likely the source of packets coming from a Macintosh 
<grin>. I read the Snort signature as defining ICMP PING NMAP merely by a 
payload size of zero:

> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
> dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon;
> sid:469; rev:1;)

Q: Can anyone confirm the possibility of a Macintosh sending a ping with 
dsize of zero? If so, can anyone suggest a way to distinguish genuine nmap 
pings from Macintosh pings?

I can almost certainly gain access to the host in question, if doing so 
would help refine the signature. I attempted to do so today, but was 
thwarted because the host is one of about two dozen computers in a lab, 
none of which are labelled <sigh>.


Bill McCarty

More information about the Snort-users mailing list