Snort mailing list archives
RE: ICMP Ping NMAP
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 30 Jul 2002 17:32:17 -0400
Hello Everyone, Unfortunately I am still working on this same problem. I do have some more information to share so maybe some one out there can help me solve this problem. Here are the characteristics, 1) Thousands of ICMP NMAP ping events per day are being triggered. 2) Each ICMP packet has NO payload. 3) The TTL of the first packet is always 1, then 8 more are sent each incrementing the TTL until it reaches 9 ( I had previously stated the reverse, sorry). 4) ICMP ID always has a gap between the first two packets, then the next 7 packet's ICMP ID's increment by 1. 5) Several hundred systems are all targeting two to 4 IP addresses. Primarily 1 with these types of packets. 6) These are all Windows based PC's (So this is not firewalking). 7) There is no traffic being sent back from the DST address. Here is a tcpdump of the traffic. 15:58:08.216796 X.X.58.46 > X.X.6.192: icmp: echo request [ttl 1] (id 22817, len 28) 15:58:12.812741 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 2, id 22891, len 28) 15:58:18.040037 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 3, id 23009, len 28) 15:58:18.041442 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 4, id 23010, len 28) 15:58:18.043954 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 5, id 23011, len 28) 15:58:18.046171 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 6, id 23012, len 28) 15:58:18.048413 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 7, id 23013, len 28) 15:58:18.056783 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 8, id 23014, len 28) 15:58:18.065525 X.X.58.46 > X.X.6.192: icmp: echo request (ttl 9, id 23016, len 28) 16:00:12.399997 X.X.110.34 > X.X.6.192: icmp: echo request [ttl 1] (id 1901, len 28) 16:00:16.913454 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 2, id 1912, len 28) 16:00:21.429071 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 3, id 1922, len 28) 16:00:21.436093 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 4, id 1923, len 28) 16:00:21.438885 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 5, id 1924, len 28) 16:00:21.441510 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 6, id 1925, len 28) 16:00:21.444096 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 7, id 1926, len 28) 16:00:21.452851 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 8, id 1927, len 28) 16:00:21.461777 X.X.110.34 > X.X.6.192: icmp: echo request (ttl 9, id 1928, len 28) If anybody has any ideas as to what may cause this traffic I would appreciate any input. vjl ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Ping NMAP larosa, vjay (Jul 17)
- Re: ICMP Ping NMAP Martin Roesch (Jul 17)
- <Possible follow-ups>
- RE: ICMP Ping NMAP larosa, vjay (Jul 17)
- RE: ICMP Ping NMAP larosa, vjay (Jul 30)
- Re: ICMP Ping NMAP Vinay A. Mahadik (Jul 31)
- RE: ICMP Ping NMAP larosa, vjay (Jul 31)