Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ICMP PING NMAP

From: Bill McCarty <bmccarty () apu edu>
Date: Wed, 20 Mar 2002 23:57:01 -0800
I've had several ICMP PING NMAP alerts the last two days. These appear to be coming from a Macintosh host on our campus. At least once, this same host has tweaked TCP/548 (Appletalk), which seems to confirm its nature.
Thing is, nmap isn't likely the source of packets coming from a Macintosh <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a payload size of zero: 


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon;
sid:469; rev:1;)
Q: Can anyone confirm the possibility of a Macintosh sending a ping with dsize of zero? If so, can anyone suggest a way to distinguish genuine nmap pings from Macintosh pings?
I can almost certainly gain access to the host in question, if doing so would help refine the signature. I attempted to do so today, but was thwarted because the host is one of about two dozen computers in a lab, none of which are labelled <sigh>. 

Cheers,

---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: