IDS mailing list archives
RE: ICMP Ping Sweep Detection
From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Tue, 14 Oct 2003 21:12:29 -0500
Why not run snort on Windows? See http://www.silicondefense.com/support/windows/. There is a signature included with snort that detects the Nachia/Welchia pings, identified as CyberKit 2.2 pings. We are running it (not on Windows, but it should work just as well), sending syslog alerts from snort for this signature to a Windows syslog server (http://www.kiwisyslog.com/products.htm#syslog) which generates emails and pages to our network group if it detects alerts against ten consecutive addresses. Works perfectly. The network group then null routes the address generating the pings (to limit the traffic to the local segment), tracks down the associated switch port, and disables the device. Jerry -----Original Message----- From: David J. Jackson [mailto:djackson () netdmz com] Sent: Monday, October 13, 2003 10:51 PM To: focus-ids () securityfocus com Subject: ICMP Ping Sweep Detection We are currently experiencing a daily issue with a worm that is spreading throughout our network and is running a ping sweep (to I assume look for more victims) and creating a Denial of Service on that segment. If I run my sniffer (Ethereal) I can easily detect the packets that are being sent by filtering ICMP ping packets, and I usually find the infected computer and take corrective action. Since I'm new to using Snort and IDS products alike, I'm wondering if there are tools available besides snort that will allow me to detect these ping sweeps and alert me when they happen so I can find out before users say they can't connect to anything. I found many references to "scanlogd", but I can't seem to figure out how to get it up and running. Also, please don't kill me, but I don't have a box with any Linux distribution on it right now that I would be able to use. I only have Win2k and WinXP computers. Are there any Win32 apps like this available? Thanks to all in advance. David Jackson Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Current thread:
- ICMP Ping Sweep Detection David J. Jackson (Oct 14)
- <Possible follow-ups>
- RE: ICMP Ping Sweep Detection Jerry Heidtke (Oct 15)
- RE: ICMP Ping Sweep Detection Morse, Greg (Oct 15)
- FW: RE:ICMP Ping Sweep Detection subsurface (Oct 20)