[Snort-users] ICMP Ping NMAP troubleshooting

Stephen W. Thomas swthomas at ...9227...
Tue May 20 07:01:02 EDT 2003


Yes we have a network monitor but we've already filtered pings generated from that system out. These pings are coming from all of our W2K servers to one specific server, our DNS/Windows Terminal server.
 
All of these systems, includeing the snort setup are behind our firewall as well as our snort box. We decided it would not benifit us to put snort outside our firewall. We want to montitor what's getting through on to our internal network.
 
Thanks,
Steve

	-----Original Message----- 
	From: Simon Gray [mailto:simong at ...8637...] 
	Sent: Tue 5/20/2003 8:52 AM 
	To: Stephen W. Thomas; snort-users at lists.sourceforge.net 
	Cc: 
	Subject: Re: [Snort-users] ICMP Ping NMAP troubleshooting
	
	

	Are you running any form of server checking software?
	
	Some of those tend to use pings to check if host it up.
	
	Could you not filter out external -> internal pings via a firewall?
	----- Original Message -----
	From: "Stephen W. Thomas" <swthomas at ...9227...>
	To: <snort-users at lists.sourceforge.net>
	Sent: Tuesday, May 20, 2003 2:08 PM
	Subject: [Snort-users] ICMP Ping NMAP troubleshooting
	
	
	> I've just setup a snort & acid setup on our company network. I've noticed
	a lot of ICMP Ping NMAP hits coming from our servers and going to our W2K
	DNS/Terminal server. I'd like to find out if this is normal or what is
	generating the pings but I'm not sure how to track a packet with no payload
	back to it's source program. Also, if it's normal for my network, then what
	do most people recommend?
	>
	> A. Ignore the thousands of hits it gets
	> B. Disable that one rule for the one destination.
	>
	> Any comments would be appreciated.
	>
	> Thanks,
	> Steve
	> NHYX銲un7+~V
	> /u뙩ʋjƊjطj؝jj vv
	> 蒋9rԢ
	> >ںJ   y˶벋q箞Dzf)+Jz ۢy j鴢رDjxǢ{鹻&۳ qz  X) Jz rz֧  Wr
	
	



More information about the Snort-users mailing list