Snort mailing list archives
ICMP PING NMAP
From: Bill McCarty <bmccarty () apu edu>
Date: Wed, 20 Mar 2002 23:57:01 -0800
I've had several ICMP PING NMAP alerts the last two days. These appear to be coming from a Macintosh host on our campus. At least once, this same host has tweaked TCP/548 (Appletalk), which seems to confirm its nature.
Thing is, nmap isn't likely the source of packets coming from a Macintosh <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a payload size of zero:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;)
Q: Can anyone confirm the possibility of a Macintosh sending a ping with dsize of zero? If so, can anyone suggest a way to distinguish genuine nmap pings from Macintosh pings?
I can almost certainly gain access to the host in question, if doing so would help refine the signature. I attempted to do so today, but was thwarted because the host is one of about two dozen computers in a lab, none of which are labelled <sigh>.
Cheers, --------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP PING NMAP Bill McCarty (Mar 21)
- Re: ICMP PING NMAP Fyodor (Mar 21)
- Re: ICMP PING NMAP Martin Roesch (Mar 21)