Snort mailing list archives

Re: ICMP PING NMAP

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 21 Mar 2002 09:17:46 -0500

There's really not a whole lot to fingerprint there, this is a pretty loose
signature.  Here's a ping from  nmap:

03/21-09:06:42.819919 10.1.1.2 -> 10.1.1.51
ICMP TTL:40 TOS:0x0 ID:39775 IpLen:20 DgmLen:28
Type:8  Code:0  ID:44295   Seq:0  ECHO

And here's a ping from my Mac (G4 running OS X):

03/21-09:05:56.405060 10.1.1.51 -> 10.1.1.1
ICMP TTL:255 TOS:0x0 ID:45241 IpLen:20 DgmLen:84
Type:8  Code:0  ID:12048   Seq:0  ECHO
3C 99 E8 C4 00 06 2E 04 08 09 0A 0B 0C 0D 0E 0F  <...............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

Now the Mac in question that you're referring to is probably running OS 9 or
below because that ping looks like it should, BSD-based.  The nmap ping
packet really doesn't have a whole lot of distinguishing features to it, the
lack of payload is the only really distinctive element of the packet that I
can see.  

     -Marty

On 3/21/02 2:57 AM, "Bill McCarty" <bmccarty () apu edu> wrote:

I've had several ICMP PING NMAP alerts the last two days. These appear to
be coming from a Macintosh host on our campus. At least once, this same
host has tweaked TCP/548 (Appletalk), which seems to confirm its nature.

Thing is, nmap isn't likely the source of packets coming from a Macintosh
<grin>. I read the Snort signature as defining ICMP PING NMAP merely by a
payload size of zero:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon;
sid:469; rev:1;)


Q: Can anyone confirm the possibility of a Macintosh sending a ping with
dsize of zero? If so, can anyone suggest a way to distinguish genuine nmap
pings from Macintosh pings?

I can almost certainly gain access to the host in question, if doing so
would help refine the signature. I attempted to do so today, but was
thwarted because the host is one of about two dozen computers in a lab,
none of which are labelled <sigh>.

Cheers,

---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP PING NMAP Bill McCarty (Mar 21)
- Re: ICMP PING NMAP Fyodor (Mar 21)
- Re: ICMP PING NMAP Martin Roesch (Mar 21)