[Snort-users] Re: NMAP alerts

Maarten Van Horenbeeck maarten at ...10796...
Sat Dec 20 11:33:01 EST 2003


Hi Bob,

> I've been noticing a few PC's on our network generating large numbers of
> NMAP alerts (icmp ping nmap). It seems to be caused by "CNet Download
> Manager". I found this app loaded on two PCs generating the alert and,
> after removing it, the alerts appear to have disappeared. Has anyone else
> encountered a similar problem?

This is perfectly normal.  The Kontiki download manager (which is used by
CNET as well), sends an ICMP echo request with 0 bytes of data to the
default gateway every two seconds.  It most likely does this to assess how
good your local connection is, as part of a metric for its "secure
delivery network".  However, if you disable use of the SDN, the ICMP
packets will still continue to be transmit.

There is a small description in the signature documentation itself:
http://www.snort.org/snort-db/sid.html?sid=469

Best regards,
Maarten

--
Maarten Van Horenbeeck
maarten at ...10796...




More information about the Snort-users mailing list