Snort mailing list archives
RE: ICMP PING speedera
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Fri, 19 Jul 2002 12:07:21 -0400
IMHO these rules are usefull in identifying specific programs doing the pinging. My first thought woudl be monitoring applications. I had this when I began runnign my IPCheck utility on my IDS subnet. The alert was "Delphi Ping". I used Foundstones "bintext' utility to search for teh text string in all binaries in the offending server, which picked up the string in my ipcheck.exe. hth, John Hicks -----Original Message----- From: L. Christopher Luther [mailto:CLuther () Xybernaut com] Sent: Friday, July 19, 2002 11:56 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] ICMP PING speedera -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can anyone give me a good definition of what exactly a "ICMP PING speedera" is? Snort on is detecting *many* of these types of pings against my web server. All activity is originating from different hosts during each scan cycle, but the same group of hosts is repeated during each cycle. See below for a sample of this activity: 07/19/02-10:25:02.329385 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 10.x.x.x 07/19/02-10:25:02.339568 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 10.x.x.x 07/19/02-10:25:02.347032 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 - -> 10.x.x.x 07/19/02-10:25:02.352278 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 10.x.x.x 07/19/02-10:25:02.353595 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 10.x.x.x 07/19/02-10:25:02.362706 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 - -> 10.x.x.x 07/19/02-10:25:02.376253 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -> 10.x.x.x 07/19/02-10:25:02.386243 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 10.x.x.x 07/19/02-10:25:02.397752 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 10.x.x.x 07/19/02-10:25:02.404776 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 10.x.x.x 07/19/02-10:25:02.420922 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 10.x.x.x 07/19/02-10:25:02.454157 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 10.x.x.x 07/19/02-11:37:55.348729 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 10.x.x.x 07/19/02-11:37:55.359533 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 10.x.x.x 07/19/02-11:37:55.362571 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 - -> 10.x.x.x 07/19/02-11:37:55.366961 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 10.x.x.x 07/19/02-11:37:55.369756 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 10.x.x.x 07/19/02-11:37:55.377139 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 - -> 10.x.x.x 07/19/02-11:37:55.402405 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 10.x.x.x 07/19/02-11:37:55.404888 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 10.x.x.x 07/19/02-11:37:55.425166 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 10.x.x.x 07/19/02-11:37:55.453302 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 10.x.x.x 07/19/02-11:37:55.464767 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 10.x.x.x Sincerely, L. Christopher Luther Technology Manager Xybernaut Solutions, Inc. (703) 506-0400 x230 cluther () xybernaut com http://www.xybernautsolutions.com <http://www.xybernautsolutions.com> My PGP Public Key: http://keyserver.pgp.com/pks/lookup?op=get <http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88> &search=0x21261B88 CONFIDENTIALITY NOTE: This communication contains information that is confidential and/or legally privileged. This information is intended only for the use of the individual or entity named on this communication. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or other use of, or any action in reliance on, the contents of this communication is strictly prohibited. If you receive this communication in error, please immediately notify us by telephone at (703) 506-0400. - ------------------------------------------------------------ Unsolicited commercial e-mail will automatically be reported to the appropriate abuse@ - without exception. - ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8 evAYtpvA+WSilrl6CwKuX+Oh =lUhN -----END PGP SIGNATURE-----
Current thread:
- ICMP PING speedera L. Christopher Luther (Jul 19)
- Re: ICMP PING speedera J. Craig Woods (Jul 19)
- <Possible follow-ups>
- RE: ICMP PING speedera Hicks, John (Jul 19)
- ICMP Ping speedera Jessup, Justin (Jul 19)
- RE: ICMP PING speedera L. Christopher Luther (Jul 19)
- Re: RE: ICMP PING speedera Jim Burwell (Jul 19)
- RE: RE: ICMP PING speedera Neville, Greg (Jul 19)
- RE: RE: ICMP PING speedera L. Christopher Luther (Jul 19)