[Snort-users] ICMP PING NMAP
roesch at ...1935...
Thu Mar 21 06:18:05 EST 2002
There's really not a whole lot to fingerprint there, this is a pretty loose
signature. Here's a ping from nmap:
03/21-09:06:42.819919 10.1.1.2 -> 10.1.1.51
ICMP TTL:40 TOS:0x0 ID:39775 IpLen:20 DgmLen:28
Type:8 Code:0 ID:44295 Seq:0 ECHO
And here's a ping from my Mac (G4 running OS X):
03/21-09:05:56.405060 10.1.1.51 -> 10.1.1.1
ICMP TTL:255 TOS:0x0 ID:45241 IpLen:20 DgmLen:84
Type:8 Code:0 ID:12048 Seq:0 ECHO
3C 99 E8 C4 00 06 2E 04 08 09 0A 0B 0C 0D 0E 0F <...............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567
Now the Mac in question that you're referring to is probably running OS 9 or
below because that ping looks like it should, BSD-based. The nmap ping
packet really doesn't have a whole lot of distinguishing features to it, the
lack of payload is the only really distinctive element of the packet that I
On 3/21/02 2:57 AM, "Bill McCarty" <bmccarty at ...5196...> wrote:
> I've had several ICMP PING NMAP alerts the last two days. These appear to
> be coming from a Macintosh host on our campus. At least once, this same
> host has tweaked TCP/548 (Appletalk), which seems to confirm its nature.
> Thing is, nmap isn't likely the source of packets coming from a Macintosh
> <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a
> payload size of zero:
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
>> dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon;
>> sid:469; rev:1;)
> Q: Can anyone confirm the possibility of a Macintosh sending a ping with
> dsize of zero? If so, can anyone suggest a way to distinguish genuine nmap
> pings from Macintosh pings?
> I can almost certainly gain access to the host in question, if doing so
> would help refine the signature. I attempted to do so today, but was
> thwarted because the host is one of about two dozen computers in a lab,
> none of which are labelled <sigh>.
> Bill McCarty
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users