IDS mailing list archives

RE: ICMP Ping Sweep Detection

From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Tue, 14 Oct 2003 21:12:29 -0500


Why not run snort on Windows? See http://www.silicondefense.com/support/windows/. There is a signature included with 
snort that detects the Nachia/Welchia pings, identified as CyberKit 2.2 pings. We are running it (not on Windows, but 
it should work just as well), sending syslog alerts from snort for this signature to a Windows syslog server 
(http://www.kiwisyslog.com/products.htm#syslog) which generates emails and pages to our network group if it detects 
alerts against ten consecutive addresses. Works perfectly. The network group then null routes the address generating 
the pings (to limit the traffic to the local segment), tracks down the associated switch port, and disables the device.

Jerry

-----Original Message-----
From: David J. Jackson [mailto:djackson () netdmz com]
Sent: Monday, October 13, 2003 10:51 PM
To: focus-ids () securityfocus com
Subject: ICMP Ping Sweep Detection


We are currently experiencing a daily issue with a worm that is spreading throughout our network and is running a ping 
sweep (to I assume look for more victims) and creating a Denial of Service on that segment.  If I run my sniffer 
(Ethereal) I can easily detect the packets that are being sent by filtering ICMP ping packets, and I usually find the 
infected computer and take corrective action.
 
Since I'm new to using Snort and IDS products alike, I'm wondering if there are tools available besides snort that will 
allow me to detect these ping sweeps and alert me when they happen so I can find out before users say they can't 
connect to anything.
 
I found many references to "scanlogd", but I can't seem to figure out how to get it up and running.  Also, please don't 
kill me, but I don't have a box with any Linux distribution on it right now that I would be able to use.  I only have 
Win2k and WinXP computers.  Are there any Win32 apps like this available?
 
Thanks to all in advance.
 
David Jackson

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

Current thread:

ICMP Ping Sweep Detection David J. Jackson (Oct 14)
- <Possible follow-ups>
- RE: ICMP Ping Sweep Detection Jerry Heidtke (Oct 15)
- RE: ICMP Ping Sweep Detection Morse, Greg (Oct 15)
- FW: RE:ICMP Ping Sweep Detection subsurface (Oct 20)