Snort mailing list archives
Re: ICMP PING NMAP
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 21 Mar 2002 09:17:46 -0500
There's really not a whole lot to fingerprint there, this is a pretty loose signature. Here's a ping from nmap: 03/21-09:06:42.819919 10.1.1.2 -> 10.1.1.51 ICMP TTL:40 TOS:0x0 ID:39775 IpLen:20 DgmLen:28 Type:8 Code:0 ID:44295 Seq:0 ECHO And here's a ping from my Mac (G4 running OS X): 03/21-09:05:56.405060 10.1.1.51 -> 10.1.1.1 ICMP TTL:255 TOS:0x0 ID:45241 IpLen:20 DgmLen:84 Type:8 Code:0 ID:12048 Seq:0 ECHO 3C 99 E8 C4 00 06 2E 04 08 09 0A 0B 0C 0D 0E 0F <............... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 Now the Mac in question that you're referring to is probably running OS 9 or below because that ping looks like it should, BSD-based. The nmap ping packet really doesn't have a whole lot of distinguishing features to it, the lack of payload is the only really distinctive element of the packet that I can see. -Marty On 3/21/02 2:57 AM, "Bill McCarty" <bmccarty () apu edu> wrote:
I've had several ICMP PING NMAP alerts the last two days. These appear to be coming from a Macintosh host on our campus. At least once, this same host has tweaked TCP/548 (Appletalk), which seems to confirm its nature. Thing is, nmap isn't likely the source of packets coming from a Macintosh <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a payload size of zero:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;)Q: Can anyone confirm the possibility of a Macintosh sending a ping with dsize of zero? If so, can anyone suggest a way to distinguish genuine nmap pings from Macintosh pings? I can almost certainly gain access to the host in question, if doing so would help refine the signature. I attempted to do so today, but was thwarted because the host is one of about two dozen computers in a lab, none of which are labelled <sigh>. Cheers, --------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP PING NMAP Bill McCarty (Mar 21)
- Re: ICMP PING NMAP Fyodor (Mar 21)
- Re: ICMP PING NMAP Martin Roesch (Mar 21)