[Snort-users] Ping

David Alonso De La Vega Tapage delavegad at ...7768...
Wed Jun 4 07:20:03 EDT 2003

Hello Matt  and thanx for your answers ..

Matt Kettler wrote:

> Depends on the ping.. and where the source IPs are. Do a reverse DNS 
> or an ARIN ipwhois query to see where this source really is. That's 
> usually my first step. 9 times of 10 it's the DNS server for a website 
> someone was visiting. 

I do that ..  and in this case the source IP =  ( and .68 
and .69 ) can't indentify as website ..

> One of the things you need to realize up front is that pings are 
> NORMAL. They usually do not indicate an attack, although they MIGHT 
> indicate someone doing a little bit of recon to see what IPs have 
> machines on them. You'd really have to study the pattern of pings and 
> correlate them to something more insidious before deciding that they 
> are part of recon. 

well  in the first time I thing ..  well  someone do a global or general 
scan ..  the ping that registter snort are normal ..  but from a Linux 
Box ..  but the ping continued ...  now 4 days, of continuos ping.  That 
the mean, what is the reazon .. ?

> Pings are also sometimes used by backdoor programs as a communication 
> channel. These tend to be pretty obvious by the packet contents. Most 
> "normal" pings are a fairly obvious simple pattern like counting (01 
> 02 03..) all 00's, all FF's, and the like, although there is one 
> common "normal" ping which contains an image of the Microsoft logo in 
> it (it's got a jiff or bmp header in it, it's pretty obvious if you 
> read the ascii part of the packet dump.) 

well  I'm not sure  but  in payload part have this ..

length = 56
000 = 5A BB DD 3E 50 99 07 00 ....
010 = 00  00   00   00  02 00 00 00 ...
020 = 00   00  00   00  08 D6 FF BF ....
030 = C0 D6 FF  BF B0  E9  5E 08

The site is ..  performance-cw.mia.pnap.net
ver     hdrlen    tos    length    id    flags    offset    ttl
4        5                0        84        0        0        0        

> As some examples of real-world things that use ping, and are using 
> them to optimize network performance:
> 1) speedera type "fastest path" distributed DNS systems will send 
> pings to your DNS servers anytime you try to resolve the domain for 
> someone using it (ie: windowsupdate does this). Those will appear to 
> come from a small range of IPs and are hardly a cause for alarm. 

certanly .. but isn't the case ..

> 2) Some systems use pings for path MTU discovery.. I think AIX does 
> this, among others.
> Certainly nobody besides an idiot would expect a few pings to freeze 
> your firewall, unless you're running some kind of ancient pile of 
> garbage that is vulnerable to one of the "Ping Of Death" variants.. 
> but you'd have to be running something that hasn't been updated since 
> 1996 for that.
> Ping of death, land, winnuke, etc are all outdated attacks that rarely 
> work on anything so you generally don't see people try them unless 
> it's part of a comprehensive vulnerability test that you hired someone 
> to do.

This is my fellíng ..     if  have a ping  ok .. is normal ..  but few 
days of constant ping, with some hour intervals  are very extrange for 
me ..

> Even the lamest skript kiddies no longer use these as a matter of 
> course. DDoS, synfloods, buffer overflows against SQL, HTTP, SMTP or 
> DNS servers, and open proxy abuse are all much more common these days.

I'm totaly agree with you ..  and thanx for you time .. !


More information about the Snort-users mailing list