Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PING Nmap2.36BETA

From: Eric Kimminau <root () KIMMINAU ORG>
Date: Mon, 29 Jan 2001 17:01:47 -0500
On Mon, 29 Jan 2001, Cristian Dumitrescu wrote:


Date: Mon, 29 Jan 2001 11:58:13 +0200
From: Cristian Dumitrescu <omega () LUMINA RO>
To: INCIDENTS () SECURITYFOCUS COM
Subject: PING Nmap2.36BETA

Hey !

   My router got hit with over 200 PING Nmap2.36BETA pings, on 01/27 form
13:08 ... until 17:30. Aparently, they all came from random hosts ( i
conted over 150 different hosts ).
   Could someone explain the purpose of these pings ?
   It can't be a DoS, becouse of the time interval between them (from a
few secs to 2-10 mins)
   I don't think it's a scan becouse of the increased randomness of the
sources.


http://www.insecure.org/nmap/

http://www.whitehats.com/IDS/162

This is the rule that produces this alert:

alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING
Nmap2.36BETA"; dsize: 0; itype: 8; )

It matches whenever there is an incoming ICMP packet whose data
size of the packet is 0 and whose ICMP type is 8 (echo request I
believe).
It does not necessarily mean that someone is running Nmap on you.
Any packet that meets the description I gave will produce the
alert.
"IDSnnn" in a message means that there is information available
about that signature on the arachNIDS database.  See
    http://www.whitehats.com and in particular
    http://www.whitehats.com/IDS/162



NMAP -- The Network Mapper
"If your goal is to understand your network from a 40,000-foot view,
then Windows port scanning tools will suffice. But if you're serious
about your security and looking for the holes that crackers will find,
then take the time to install a Linux box and use nmap." -- Info World

nmap is a utility for port scanning large networks, although it works
fine for single hosts. The guiding philosophy for the creation of nmap
was TMTOWTDI (There's More Than One Way To Do It). This is the Perl
slogan, but it is equally applicable to scanners. Sometimes you need
speed, other times you may need stealth. In some cases, bypassing
firewalls may be required. Not to mention the fact that you may want
to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do
all this with one scanning mode. And you don't want to have 10
different scanners around, all with different interfaces and
capabilities.
Previous By Date Next
Previous By Thread Next

Current thread: