Security Incidents mailing list archives
Re: PING Nmap2.36BETA
From: Eric Kimminau <root () KIMMINAU ORG>
Date: Mon, 29 Jan 2001 17:01:47 -0500
On Mon, 29 Jan 2001, Cristian Dumitrescu wrote:
Date: Mon, 29 Jan 2001 11:58:13 +0200 From: Cristian Dumitrescu <omega () LUMINA RO> To: INCIDENTS () SECURITYFOCUS COM Subject: PING Nmap2.36BETA Hey ! My router got hit with over 200 PING Nmap2.36BETA pings, on 01/27 form 13:08 ... until 17:30. Aparently, they all came from random hosts ( i conted over 150 different hosts ). Could someone explain the purpose of these pings ? It can't be a DoS, becouse of the time interval between them (from a few secs to 2-10 mins) I don't think it's a scan becouse of the increased randomness of the sources.
http://www.insecure.org/nmap/ http://www.whitehats.com/IDS/162 This is the rule that produces this alert: alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING Nmap2.36BETA"; dsize: 0; itype: 8; ) It matches whenever there is an incoming ICMP packet whose data size of the packet is 0 and whose ICMP type is 8 (echo request I believe). It does not necessarily mean that someone is running Nmap on you. Any packet that meets the description I gave will produce the alert. "IDSnnn" in a message means that there is information available about that signature on the arachNIDS database. See http://www.whitehats.com and in particular http://www.whitehats.com/IDS/162 NMAP -- The Network Mapper "If your goal is to understand your network from a 40,000-foot view, then Windows port scanning tools will suffice. But if you're serious about your security and looking for the holes that crackers will find, then take the time to install a Linux box and use nmap." -- Info World nmap is a utility for port scanning large networks, although it works fine for single hosts. The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). This is the Perl slogan, but it is equally applicable to scanners. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning mode. And you don't want to have 10 different scanners around, all with different interfaces and capabilities.
Current thread:
- PING Nmap2.36BETA Cristian Dumitrescu (Jan 29)
- Re: PING Nmap2.36BETA Ryan Russell (Jan 29)
- Re: PING Nmap2.36BETA Eric Kimminau (Jan 29)