[Snort-users] ICMP PING NMAP

Martin Roesch roesch at ...1935...
Thu Mar 21 06:18:05 EST 2002


There's really not a whole lot to fingerprint there, this is a pretty loose
signature.  Here's a ping from  nmap:

03/21-09:06:42.819919 10.1.1.2 -> 10.1.1.51
ICMP TTL:40 TOS:0x0 ID:39775 IpLen:20 DgmLen:28
Type:8  Code:0  ID:44295   Seq:0  ECHO

And here's a ping from my Mac (G4 running OS X):

03/21-09:05:56.405060 10.1.1.51 -> 10.1.1.1
ICMP TTL:255 TOS:0x0 ID:45241 IpLen:20 DgmLen:84
Type:8  Code:0  ID:12048   Seq:0  ECHO
3C 99 E8 C4 00 06 2E 04 08 09 0A 0B 0C 0D 0E 0F  <...............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

Now the Mac in question that you're referring to is probably running OS 9 or
below because that ping looks like it should, BSD-based.  The nmap ping
packet really doesn't have a whole lot of distinguishing features to it, the
lack of payload is the only really distinctive element of the packet that I
can see.  

     -Marty

On 3/21/02 2:57 AM, "Bill McCarty" <bmccarty at ...5196...> wrote:

> I've had several ICMP PING NMAP alerts the last two days. These appear to
> be coming from a Macintosh host on our campus. At least once, this same
> host has tweaked TCP/548 (Appletalk), which seems to confirm its nature.
> 
> Thing is, nmap isn't likely the source of packets coming from a Macintosh
> <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a
> payload size of zero:
> 
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
>> dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon;
>> sid:469; rev:1;)
> 
> Q: Can anyone confirm the possibility of a Macintosh sending a ping with
> dsize of zero? If so, can anyone suggest a way to distinguish genuine nmap
> pings from Macintosh pings?
> 
> I can almost certainly gain access to the host in question, if doing so
> would help refine the signature. I attempted to do so today, but was
> thwarted because the host is one of about two dozen computers in a lab,
> none of which are labelled <sigh>.
> 
> Cheers,
> 
> ---------------------------------------------------
> Bill McCarty
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list