Snort mailing list archives
Re: ICMP Ping NMAP
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 17 Jul 2002 13:25:49 -0400
I think a lot of instant messengers use it as a heartbeat mechanism, just a theory but I've been seeing a lot of it lately as well in deployments at corporate sites. The rule is really just looking for an ICMP PING with a 0-byte payload, the msg field for that rule should probably be updated. -Marty On 7/17/02 12:47 PM, "larosa, vjay" <larosa_vjay () emc com> wrote:
Hello, Does anybody know of tools other than Nmap that will set off the ICMP Ping NMAP signature? I am seeing lots of these events, the odd thing though is the TTL values are starting at around 7 and decrementing for each subsequent packet. I am going to play with nmap to see if this is consistent. I thought I would throw this out there to see if anybody else has come across this one. Thanks! vjl ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Ping NMAP larosa, vjay (Jul 17)
- Re: ICMP Ping NMAP Martin Roesch (Jul 17)
- <Possible follow-ups>
- RE: ICMP Ping NMAP larosa, vjay (Jul 17)
- RE: ICMP Ping NMAP larosa, vjay (Jul 30)
- Re: ICMP Ping NMAP Vinay A. Mahadik (Jul 31)
- RE: ICMP Ping NMAP larosa, vjay (Jul 31)