Snort mailing list archives

RE: ICMP Ping NMAP

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 30 Jul 2002 17:32:17 -0400

Hello Everyone,

Unfortunately I am still working on this same problem. I do have some more
information
to share so maybe some one out there can help me solve this problem. Here
are the
characteristics,

1) Thousands of ICMP NMAP ping events per day are being triggered.
2) Each ICMP packet has NO payload.
3) The TTL of the first packet is always 1, then 8 more are sent each 
   incrementing the TTL until it reaches 9 ( I had previously stated the
reverse, sorry).
4) ICMP ID always has a gap between the first two packets, then the next 7
packet's ICMP
   ID's increment by 1.
5) Several hundred systems are all targeting two to 4 IP addresses.
Primarily 1 with
   these types of packets.
6) These are all Windows based PC's (So this is not firewalking).
7) There is no traffic being sent back from the DST address.

Here is a tcpdump of the traffic.

15:58:08.216796 X.X.58.46 > X.X.6.192: icmp: echo request [ttl 1] (id 22817,
len 28)
15:58:12.812741 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 2, id 22891,
len 28)
15:58:18.040037 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 3, id 23009,
len 28)
15:58:18.041442 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 4, id 23010,
len 28)
15:58:18.043954 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 5, id 23011,
len 28)
15:58:18.046171 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 6, id 23012,
len 28)
15:58:18.048413 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 7, id 23013,
len 28)
15:58:18.056783 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 8, id 23014,
len 28)
15:58:18.065525 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 9, id 23016,
len 28)
16:00:12.399997 X.X.110.34 > X.X.6.192: icmp: echo request [ttl 1] (id 1901,
len 28)
16:00:16.913454 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 2, id 1912,
len 28)
16:00:21.429071 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 3, id 1922,
len 28)
16:00:21.436093 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 4, id 1923,
len 28)
16:00:21.438885 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 5, id 1924,
len 28)
16:00:21.441510 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 6, id 1925,
len 28)
16:00:21.444096 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 7, id 1926,
len 28)
16:00:21.452851 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 8, id 1927,
len 28)
16:00:21.461777 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 9, id 1928,
len 28)

If anybody has any ideas as to what may cause this traffic I would
appreciate
any input. 

vjl



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP Ping NMAP larosa, vjay (Jul 17)
- Re: ICMP Ping NMAP Martin Roesch (Jul 17)
- <Possible follow-ups>
- RE: ICMP Ping NMAP larosa, vjay (Jul 17)
- RE: ICMP Ping NMAP larosa, vjay (Jul 30)
  - Re: ICMP Ping NMAP Vinay A. Mahadik (Jul 31)
- RE: ICMP Ping NMAP larosa, vjay (Jul 31)