Snort mailing list archives
ICMP Ping speedera
From: "Jessup, Justin" <Justin.Jessup () usdoj gov>
Date: Fri, 19 Jul 2002 12:22:09 -0400
1.) My guess is that you are the victim of a DDOS distributed denial of service attack, I would check access to your websites if performance being degraded??? Also look around and see if some cover IRC channels are up and running on those web servers. Hackers often get into these wars where they try to kill a rival hacker group`s covert IRC server.. I would do some snooping around Run Netstat -an On each of those systems See who or what is actively connected with an ESTABLISHED connection -----Original Message----- From: /DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INETGW/P=GOV+DOJ/A=TELEMAIL/C=US/ [mailto:/DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INETGW/P=GOV+DOJ/A=TELEMAIL/C=US/] Sent: Friday, July 19, 2002 12:11 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2093 - 2 msgs Importance: Low Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. ICMP PING speedera (L. Christopher Luther) 2. RE: ICMP PING speedera (Hicks, John) --__--__-- Message: 1 From: "L. Christopher Luther" <CLuther () Xybernaut com> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Fri, 19 Jul 2002 11:56:21 -0400 Subject: [Snort-users] ICMP PING speedera This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C22F3C.D3B8C4C0 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can anyone give me a good definition of what exactly a "ICMP PING speedera" is? Snort on is detecting *many* of these types of pings against my web server. All activity is originating from different hosts during each scan cycle, but the same group of hosts is repeated during each cycle. See below for a sample of this activity: 07/19/02-10:25:02.329385 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 10.x.x.x 07/19/02-10:25:02.339568 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 10.x.x.x 07/19/02-10:25:02.347032 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 - -> 10.x.x.x 07/19/02-10:25:02.352278 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 10.x.x.x 07/19/02-10:25:02.353595 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 10.x.x.x 07/19/02-10:25:02.362706 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 - -> 10.x.x.x 07/19/02-10:25:02.376253 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -> 10.x.x.x 07/19/02-10:25:02.386243 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 10.x.x.x 07/19/02-10:25:02.397752 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 10.x.x.x 07/19/02-10:25:02.404776 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 10.x.x.x 07/19/02-10:25:02.420922 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 10.x.x.x 07/19/02-10:25:02.454157 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 10.x.x.x 07/19/02-11:37:55.348729 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 10.x.x.x 07/19/02-11:37:55.359533 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 10.x.x.x 07/19/02-11:37:55.362571 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 - -> 10.x.x.x 07/19/02-11:37:55.366961 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 10.x.x.x 07/19/02-11:37:55.369756 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 10.x.x.x 07/19/02-11:37:55.377139 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 - -> 10.x.x.x 07/19/02-11:37:55.402405 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 10.x.x.x 07/19/02-11:37:55.404888 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 10.x.x.x 07/19/02-11:37:55.425166 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 10.x.x.x 07/19/02-11:37:55.453302 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 10.x.x.x 07/19/02-11:37:55.464767 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 10.x.x.x Sincerely, L. Christopher Luther Technology Manager Xybernaut Solutions, Inc. (703) 506-0400 x230 cluther () xybernaut com http://www.xybernautsolutions.com My PGP Public Key: http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88 CONFIDENTIALITY NOTE: This communication contains information that is confidential and/or legally privileged. This information is intended only for the use of the individual or entity named on this communication. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or other use of, or any action in reliance on, the contents of this communication is strictly prohibited. If you receive this communication in error, please immediately notify us by telephone at (703) 506-0400. - ------------------------------------------------------------ Unsolicited commercial e-mail will automatically be reported to the appropriate abuse@ - without exception. - ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8 evAYtpvA+WSilrl6CwKuX+Oh =lUhN -----END PGP SIGNATURE----- ------_=_NextPart_001_01C22F3C.D3B8C4C0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"> <TITLE>ICMP PING speedera</TITLE> </HEAD> <BODY> <P><FONT SIZE=2> </FONT> <BR><FONT SIZE=2>-----BEGIN PGP SIGNED MESSAGE-----</FONT> <BR><FONT SIZE=2>Hash: SHA1</FONT> </P> <P><FONT SIZE=2>Can anyone give me a good definition of what exactly a "ICMP PING</FONT> <BR><FONT SIZE=2>speedera" is? Snort on is detecting *many* of these types of pings</FONT> <BR><FONT SIZE=2>against my web server. </FONT> </P> <P><FONT SIZE=2>All activity is originating from different hosts during each scan</FONT> <BR><FONT SIZE=2>cycle, but the same group of hosts is repeated during each cycle. </FONT> <BR><FONT SIZE=2>See below for a sample of this activity:</FONT> </P> <P><FONT SIZE=2>07/19/02-10:25:02.329385 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.339568 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.347032 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT SIZE=2>- -> 10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.352278 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.353595 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.362706 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT SIZE=2>- -> 10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.376253 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.386243 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.397752 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.404776 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.420922 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-10:25:02.454157 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> </P> <P><FONT SIZE=2>07/19/02-11:37:55.348729 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.359533 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.362571 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT SIZE=2>- -> 10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.366961 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.369756 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.377139 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT SIZE=2>- -> 10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.402405 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.404888 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.425166 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.453302 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> <BR><FONT SIZE=2>07/19/02-11:37:55.464767 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT> <BR><FONT SIZE=2>10.x.x.x</FONT> </P> <BR> <P><FONT SIZE=2>Sincerely, </FONT> </P> <P><FONT SIZE=2>L. Christopher Luther </FONT> <BR><FONT SIZE=2>Technology Manager </FONT> <BR><FONT SIZE=2>Xybernaut Solutions, Inc. </FONT> <BR><FONT SIZE=2>(703) 506-0400 x230 </FONT> <BR><FONT SIZE=2>cluther () xybernaut com </FONT> <BR><FONT SIZE=2><A HREF="http://www.xybernautsolutions.com" TARGET="_blank">http://www.xybernautsolutions.com</A> </FONT> </P> <P><FONT SIZE=2>My PGP Public Key: </FONT> <BR><FONT SIZE=2><A HREF="http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88" TARGET="_blank">http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88</A></FONT> </P> <P><FONT SIZE=2>CONFIDENTIALITY NOTE: This communication contains </FONT> <BR><FONT SIZE=2>information that is confidential and/or legally privileged. </FONT> <BR><FONT SIZE=2>This information is intended only for the use of the individual </FONT> <BR><FONT SIZE=2>or entity named on this communication. If you are not the </FONT> <BR><FONT SIZE=2>intended recipient, you are hereby notified that any disclosure, </FONT> <BR><FONT SIZE=2>copying, distribution, printing or other use of, or any action </FONT> <BR><FONT SIZE=2>in reliance on, the contents of this communication is strictly </FONT> <BR><FONT SIZE=2>prohibited. If you receive this communication in error, please </FONT> <BR><FONT SIZE=2>immediately notify us by telephone at (703) 506-0400. </FONT> </P> <P><FONT SIZE=2>- ------------------------------------------------------------</FONT> <BR><FONT SIZE=2>Unsolicited commercial e-mail will automatically be reported</FONT> <BR><FONT SIZE=2>to the appropriate abuse@ - without exception.</FONT> <BR><FONT SIZE=2>- ------------------------------------------------------------</FONT> </P> <P><FONT SIZE=2>-----BEGIN PGP SIGNATURE-----</FONT> <BR><FONT SIZE=2>Version: PGP 7.1.1</FONT> </P> <P><FONT SIZE=2>iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8</FONT> <BR><FONT SIZE=2>evAYtpvA+WSilrl6CwKuX+Oh</FONT> <BR><FONT SIZE=2>=lUhN</FONT> <BR><FONT SIZE=2>-----END PGP SIGNATURE-----</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C22F3C.D3B8C4C0-- --__--__-- Message: 2 From: "Hicks, John" <JHicks () JUSTICE GC CA> To: "Snort Users (E-mail)" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] ICMP PING speedera Date: Fri, 19 Jul 2002 12:07:21 -0400 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C22F3E.5D1E9B80 Content-Type: text/plain; charset="iso-8859-1" IMHO these rules are usefull in identifying specific programs doing the pinging. My first thought woudl be monitoring applications. I had this when I began runnign my IPCheck utility on my IDS subnet. The alert was "Delphi Ping". I used Foundstones "bintext' utility to search for teh text string in all binaries in the offending server, which picked up the string in my ipcheck.exe. hth, John Hicks -----Original Message----- From: L. Christopher Luther [mailto:CLuther () Xybernaut com] Sent: Friday, July 19, 2002 11:56 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] ICMP PING speedera -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can anyone give me a good definition of what exactly a "ICMP PING speedera" is? Snort on is detecting *many* of these types of pings against my web server. All activity is originating from different hosts during each scan cycle, but the same group of hosts is repeated during each cycle. See below for a sample of this activity: 07/19/02-10:25:02.329385 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 10.x.x.x 07/19/02-10:25:02.339568 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 10.x.x.x 07/19/02-10:25:02.347032 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 - -> 10.x.x.x 07/19/02-10:25:02.352278 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 10.x.x.x 07/19/02-10:25:02.353595 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 10.x.x.x 07/19/02-10:25:02.362706 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 - -> 10.x.x.x 07/19/02-10:25:02.376253 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -> 10.x.x.x 07/19/02-10:25:02.386243 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 10.x.x.x 07/19/02-10:25:02.397752 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 10.x.x.x 07/19/02-10:25:02.404776 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 10.x.x.x 07/19/02-10:25:02.420922 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 10.x.x.x 07/19/02-10:25:02.454157 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 10.x.x.x 07/19/02-11:37:55.348729 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 10.x.x.x 07/19/02-11:37:55.359533 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 10.x.x.x 07/19/02-11:37:55.362571 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 - -> 10.x.x.x 07/19/02-11:37:55.366961 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 10.x.x.x 07/19/02-11:37:55.369756 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 10.x.x.x 07/19/02-11:37:55.377139 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 - -> 10.x.x.x 07/19/02-11:37:55.402405 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 10.x.x.x 07/19/02-11:37:55.404888 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 10.x.x.x 07/19/02-11:37:55.425166 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 10.x.x.x 07/19/02-11:37:55.453302 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 10.x.x.x 07/19/02-11:37:55.464767 [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 10.x.x.x Sincerely, L. Christopher Luther Technology Manager Xybernaut Solutions, Inc. (703) 506-0400 x230 cluther () xybernaut com http://www.xybernautsolutions.com <http://www.xybernautsolutions.com> My PGP Public Key: http://keyserver.pgp.com/pks/lookup?op=get <http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88> &search=0x21261B88 CONFIDENTIALITY NOTE: This communication contains information that is confidential and/or legally privileged. This information is intended only for the use of the individual or entity named on this communication. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or other use of, or any action in reliance on, the contents of this communication is strictly prohibited. If you receive this communication in error, please immediately notify us by telephone at (703) 506-0400. - ------------------------------------------------------------ Unsolicited commercial e-mail will automatically be reported to the appropriate abuse@ - without exception. - ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8 evAYtpvA+WSilrl6CwKuX+Oh =lUhN -----END PGP SIGNATURE----- ------_=_NextPart_001_01C22F3E.5D1E9B80 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>ICMP PING speedera</TITLE> <META content="MSHTML 5.50.4725.2100" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2>IMHO these rules are usefull in identifying specific programs doing the pinging. My first thought woudl be monitoring applications. I had this when I began runnign my IPCheck utility on my IDS subnet. The alert was "Delphi Ping". I used Foundstones "bintext' utility to search for teh text string in all binaries in the offending server, which picked up the string in my ipcheck.exe.</FONT></SPAN></DIV> <DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2>hth,</FONT></SPAN></DIV> <DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2>John Hicks</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> L. Christopher Luther [mailto:CLuther () Xybernaut com]<BR><B>Sent:</B> Friday, July 19, 2002 11:56 AM<BR><B>To:</B> 'snort-users () lists sourceforge net'<BR><B>Subject:</B> [Snort-users] ICMP PING speedera<BR><BR></FONT></DIV> <P><FONT size=2></FONT> <BR><FONT size=2>-----BEGIN PGP SIGNED MESSAGE-----</FONT> <BR><FONT size=2>Hash: SHA1</FONT> </P> <P><FONT size=2>Can anyone give me a good definition of what exactly a "ICMP PING</FONT> <BR><FONT size=2>speedera" is? Snort on is detecting *many* of these types of pings</FONT> <BR><FONT size=2>against my web server. </FONT></P> <P><FONT size=2>All activity is originating from different hosts during each scan</FONT> <BR><FONT size=2>cycle, but the same group of hosts is repeated during each cycle. </FONT><BR><FONT size=2>See below for a sample of this activity:</FONT> </P> <P><FONT size=2>07/19/02-10:25:02.329385 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.339568 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.347032 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT size=2>- -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.352278 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.353595 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.362706 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT size=2>- -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.376253 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.386243 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.397752 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.404776 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.420922 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.454157 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> </P> <P><FONT size=2>07/19/02-11:37:55.348729 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.359533 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.362571 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT size=2>- -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.366961 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.369756 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.377139 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT size=2>- -> 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.402405 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.404888 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.425166 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.453302 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.464767 [**] [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -></FONT> <BR><FONT size=2>10.x.x.x</FONT> </P><BR> <P><FONT size=2>Sincerely, </FONT></P> <P><FONT size=2>L. Christopher Luther </FONT><BR><FONT size=2>Technology Manager </FONT><BR><FONT size=2>Xybernaut Solutions, Inc. </FONT><BR><FONT size=2>(703) 506-0400 x230 </FONT><BR><FONT size=2>cluther () xybernaut com </FONT><BR><FONT size=2><A target=_blank href="http://www.xybernautsolutions.com">http://www.xybernautsolutions.com</A> </FONT></P> <P><FONT size=2>My PGP Public Key: </FONT><BR><FONT size=2><A target=_blank href="http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88">http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88</A></FONT> </P> <P><FONT size=2>CONFIDENTIALITY NOTE: This communication contains </FONT><BR><FONT size=2>information that is confidential and/or legally privileged. </FONT><BR><FONT size=2>This information is intended only for the use of the individual </FONT><BR><FONT size=2>or entity named on this communication. If you are not the </FONT><BR><FONT size=2>intended recipient, you are hereby notified that any disclosure, </FONT><BR><FONT size=2>copying, distribution, printing or other use of, or any action </FONT><BR><FONT size=2>in reliance on, the contents of this communication is strictly </FONT><BR><FONT size=2>prohibited. If you receive this communication in error, please </FONT><BR><FONT size=2>immediately notify us by telephone at (703) 506-0400. </FONT></P> <P><FONT size=2>- ------------------------------------------------------------</FONT> <BR><FONT size=2>Unsolicited commercial e-mail will automatically be reported</FONT> <BR><FONT size=2>to the appropriate abuse@ - without exception.</FONT> <BR><FONT size=2>- ------------------------------------------------------------</FONT> </P> <P><FONT size=2>-----BEGIN PGP SIGNATURE-----</FONT> <BR><FONT size=2>Version: PGP 7.1.1</FONT> </P> <P><FONT size=2>iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8</FONT> <BR><FONT size=2>evAYtpvA+WSilrl6CwKuX+Oh</FONT> <BR><FONT size=2>=lUhN</FONT> <BR><FONT size=2>-----END PGP SIGNATURE-----</FONT> </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C22F3E.5D1E9B80-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP PING speedera L. Christopher Luther (Jul 19)
- Re: ICMP PING speedera J. Craig Woods (Jul 19)
- <Possible follow-ups>
- RE: ICMP PING speedera Hicks, John (Jul 19)
- ICMP Ping speedera Jessup, Justin (Jul 19)
- RE: ICMP PING speedera L. Christopher Luther (Jul 19)
- Re: RE: ICMP PING speedera Jim Burwell (Jul 19)
- RE: RE: ICMP PING speedera Neville, Greg (Jul 19)
- RE: RE: ICMP PING speedera L. Christopher Luther (Jul 19)