Re: ICMP Ping NMAP

["Vinay A. Mahadik" <VAMahadik () lbl gov>]

"larosa, vjay" wrote:
> Hello Everyone,
>
> Unfortunately I am still working on this same problem. I do have some more
> information
> to share so maybe some one out there can help me solve this problem. Here
> are the
> characteristics,

I could be wrong but it looks like a custom traceroute-like tool to me..
perhaps your firewall blocks UDP high ports etc?..

This actually reminds of a question I think I had posted before and was
never answered.. what's the point in having signatures for *tools* of
reconnaissance (nmap, queso etc). E.g. in this case, assuming it is a
scan, and knowing that the TTL is changing, the attacker is probably
root and thus can randomize most of the headers/fields that are
irrelevant to scanning. Simply because some nice/standard scanners use
specific tags/marks shouldn't mean an IDS should include rules for all
such that are created ever? There are so many such rules in Snort.. and
I fail to see how such sigs are useful given the overhead in searching
through all (an increasing number) of them..

Any thoughts?

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users