RE: ICMP PING speedera

["Hicks, John" <JHicks () JUSTICE GC CA>]

IMHO these rules are usefull in identifying specific programs doing the
pinging. My first thought woudl be monitoring applications. I had this when
I began runnign my IPCheck utility on my IDS subnet. The alert was "Delphi
Ping". I used Foundstones "bintext' utility to search for teh text string in
all binaries in the offending server, which picked up the string in my
ipcheck.exe.
 
hth,
 
John Hicks

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com]
Sent: Friday, July 19, 2002 11:56 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] ICMP PING speedera




-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

Can anyone give me a good definition of what exactly a "ICMP PING 
speedera" is?  Snort on is detecting *many* of these types of pings 
against my web server.  

All activity is originating from different hosts during each scan 
cycle, but the same group of hosts is repeated during each cycle. 
See below for a sample of this activity: 

07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-10:25:02.339568  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-10:25:02.347032  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-10:25:02.352278  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-10:25:02.353595  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-10:25:02.362706  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-10:25:02.376253  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -> 
10.x.x.x 
07/19/02-10:25:02.386243  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-10:25:02.397752  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-10:25:02.404776  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-10:25:02.420922  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-10:25:02.454157  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 

07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-11:37:55.359533  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-11:37:55.362571  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-11:37:55.366961  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-11:37:55.369756  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-11:37:55.377139  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-11:37:55.402405  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-11:37:55.404888  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-11:37:55.425166  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-11:37:55.453302  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-11:37:55.464767  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 


Sincerely,  

L. Christopher Luther  
Technology Manager  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther () xybernaut com  
http://www.xybernautsolutions.com <http://www.xybernautsolutions.com>   

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get
<http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88>
&search=0x21261B88 

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

- ------------------------------------------------------------ 
Unsolicited commercial e-mail will automatically be reported 
to the appropriate abuse@ - without exception. 
- ------------------------------------------------------------ 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 7.1.1 

iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8 
evAYtpvA+WSilrl6CwKuX+Oh 
=lUhN 
-----END PGP SIGNATURE-----