Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ICMP Ping speedera

From: "Jessup, Justin" <Justin.Jessup () usdoj gov>
Date: Fri, 19 Jul 2002 12:22:09 -0400
1.) My guess is that you are the victim of a DDOS
distributed denial of service attack, I would check access to your websites
if performance being degraded???
Also look around and see if some cover IRC channels are up and running on those web servers. Hackers often get into 
these wars where they try to kill a rival hacker group`s covert IRC server.. I would do some snooping around
Run 
Netstat -an 
On each of those systems
See who or what is actively connected with an ESTABLISHED connection


-----Original Message-----
From: /DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INETGW/P=GOV+DOJ/A=TELEMAIL/C=US/ 
[mailto:/DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INETGW/P=GOV+DOJ/A=TELEMAIL/C=US/] 
Sent: Friday, July 19, 2002 12:11 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #2093 - 2 msgs
Importance: Low

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. ICMP PING speedera (L. Christopher Luther)
   2. RE: ICMP PING speedera (Hicks, John)

--__--__--

Message: 1
From: "L. Christopher Luther" <CLuther () Xybernaut com>
To: "'snort-users () lists sourceforge net'"
         <snort-users () lists sourceforge net>
Date: Fri, 19 Jul 2002 11:56:21 -0400
Subject: [Snort-users] ICMP PING speedera

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C22F3C.D3B8C4C0
Content-Type: text/plain;
        charset="iso-8859-1"

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can anyone give me a good definition of what exactly a "ICMP PING
speedera" is?  Snort on is detecting *many* of these types of pings
against my web server.  

All activity is originating from different hosts during each scan
cycle, but the same group of hosts is repeated during each cycle. 
See below for a sample of this activity:

07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 ->
10.x.x.x
07/19/02-10:25:02.339568  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 ->
10.x.x.x
07/19/02-10:25:02.347032  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130
- -> 10.x.x.x
07/19/02-10:25:02.352278  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 ->
10.x.x.x
07/19/02-10:25:02.353595  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 ->
10.x.x.x
07/19/02-10:25:02.362706  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235
- -> 10.x.x.x
07/19/02-10:25:02.376253  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 ->
10.x.x.x
07/19/02-10:25:02.386243  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 ->
10.x.x.x
07/19/02-10:25:02.397752  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 ->
10.x.x.x
07/19/02-10:25:02.404776  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 ->
10.x.x.x
07/19/02-10:25:02.420922  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 ->
10.x.x.x
07/19/02-10:25:02.454157  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 ->
10.x.x.x

07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 ->
10.x.x.x
07/19/02-11:37:55.359533  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 ->
10.x.x.x
07/19/02-11:37:55.362571  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130
- -> 10.x.x.x
07/19/02-11:37:55.366961  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 ->
10.x.x.x
07/19/02-11:37:55.369756  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 ->
10.x.x.x
07/19/02-11:37:55.377139  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235
- -> 10.x.x.x
07/19/02-11:37:55.402405  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 ->
10.x.x.x
07/19/02-11:37:55.404888  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 ->
10.x.x.x
07/19/02-11:37:55.425166  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 ->
10.x.x.x
07/19/02-11:37:55.453302  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 ->
10.x.x.x
07/19/02-11:37:55.464767  [**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 ->
10.x.x.x


Sincerely,  

L. Christopher Luther  
Technology Manager  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther () xybernaut com  
http://www.xybernautsolutions.com  

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

- ------------------------------------------------------------
Unsolicited commercial e-mail will automatically be reported
to the appropriate abuse@ - without exception.
- ------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8
evAYtpvA+WSilrl6CwKuX+Oh
=lUhN
-----END PGP SIGNATURE-----

------_=_NextPart_001_01C22F3C.D3B8C4C0
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>ICMP PING speedera</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2>&nbsp;</FONT>
<BR><FONT SIZE=2>-----BEGIN PGP SIGNED MESSAGE-----</FONT>
<BR><FONT SIZE=2>Hash: SHA1</FONT>
</P>

<P><FONT SIZE=2>Can anyone give me a good definition of what exactly a &quot;ICMP PING</FONT>
<BR><FONT SIZE=2>speedera&quot; is?&nbsp; Snort on is detecting *many* of these types of pings</FONT>
<BR><FONT SIZE=2>against my web server.&nbsp; </FONT>
</P>

<P><FONT SIZE=2>All activity is originating from different hosts during each scan</FONT>
<BR><FONT SIZE=2>cycle, but the same group of hosts is repeated during each cycle. </FONT>
<BR><FONT SIZE=2>See below for a sample of this activity:</FONT>
</P>

<P><FONT SIZE=2>07/19/02-10:25:02.329385&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.339568&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.347032&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT>
<BR><FONT SIZE=2>- -&gt; 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.352278&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.353595&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.362706&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT>
<BR><FONT SIZE=2>- -&gt; 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.376253&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.386243&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.397752&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.404776&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.420922&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-10:25:02.454157&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
</P>

<P><FONT SIZE=2>07/19/02-11:37:55.348729&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.359533&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.362571&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT>
<BR><FONT SIZE=2>- -&gt; 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.366961&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.369756&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.377139&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT>
<BR><FONT SIZE=2>- -&gt; 10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.402405&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.404888&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.425166&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.453302&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
<BR><FONT SIZE=2>07/19/02-11:37:55.464767&nbsp; [**] [1:480:2] ICMP PING speedera [**]</FONT>
<BR><FONT SIZE=2>[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -&gt;</FONT>
<BR><FONT SIZE=2>10.x.x.x</FONT>
</P>
<BR>

<P><FONT SIZE=2>Sincerely,&nbsp; </FONT>
</P>

<P><FONT SIZE=2>L. Christopher Luther&nbsp; </FONT>
<BR><FONT SIZE=2>Technology Manager&nbsp; </FONT>
<BR><FONT SIZE=2>Xybernaut Solutions, Inc.&nbsp; </FONT>
<BR><FONT SIZE=2>(703) 506-0400 x230&nbsp; </FONT>
<BR><FONT SIZE=2>cluther () xybernaut com&nbsp; </FONT>
<BR><FONT SIZE=2><A HREF="http://www.xybernautsolutions.com"; 
TARGET="_blank">http://www.xybernautsolutions.com</A>&nbsp; </FONT>
</P>

<P><FONT SIZE=2>My PGP Public Key:&nbsp; </FONT>
<BR><FONT SIZE=2><A HREF="http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88"; 
TARGET="_blank">http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88</A></FONT>
</P>

<P><FONT SIZE=2>CONFIDENTIALITY NOTE:&nbsp; This communication contains </FONT>
<BR><FONT SIZE=2>information that is confidential and/or legally privileged.&nbsp; </FONT>
<BR><FONT SIZE=2>This information is intended only for the use of the individual </FONT>
<BR><FONT SIZE=2>or entity named on this communication. If you are not the </FONT>
<BR><FONT SIZE=2>intended recipient, you are hereby notified that any disclosure, </FONT>
<BR><FONT SIZE=2>copying, distribution, printing or other use of, or any action </FONT>
<BR><FONT SIZE=2>in reliance on, the contents of this communication is strictly </FONT>
<BR><FONT SIZE=2>prohibited.&nbsp; If you receive this communication in error, please </FONT>
<BR><FONT SIZE=2>immediately notify us by telephone at (703) 506-0400. </FONT>
</P>

<P><FONT SIZE=2>- ------------------------------------------------------------</FONT>
<BR><FONT SIZE=2>Unsolicited commercial e-mail will automatically be reported</FONT>
<BR><FONT SIZE=2>to the appropriate abuse@ - without exception.</FONT>
<BR><FONT SIZE=2>- ------------------------------------------------------------</FONT>
</P>

<P><FONT SIZE=2>-----BEGIN PGP SIGNATURE-----</FONT>
<BR><FONT SIZE=2>Version: PGP 7.1.1</FONT>
</P>

<P><FONT SIZE=2>iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8</FONT>
<BR><FONT SIZE=2>evAYtpvA+WSilrl6CwKuX+Oh</FONT>
<BR><FONT SIZE=2>=lUhN</FONT>
<BR><FONT SIZE=2>-----END PGP SIGNATURE-----</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C22F3C.D3B8C4C0--


--__--__--

Message: 2
From: "Hicks, John" <JHicks () JUSTICE GC CA>
To: "Snort Users (E-mail)" <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] ICMP PING speedera
Date: Fri, 19 Jul 2002 12:07:21 -0400

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C22F3E.5D1E9B80
Content-Type: text/plain;
        charset="iso-8859-1"

IMHO these rules are usefull in identifying specific programs doing the
pinging. My first thought woudl be monitoring applications. I had this when
I began runnign my IPCheck utility on my IDS subnet. The alert was "Delphi
Ping". I used Foundstones "bintext' utility to search for teh text string in
all binaries in the offending server, which picked up the string in my
ipcheck.exe.
 
hth,
 
John Hicks

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com]
Sent: Friday, July 19, 2002 11:56 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] ICMP PING speedera




-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

Can anyone give me a good definition of what exactly a "ICMP PING 
speedera" is?  Snort on is detecting *many* of these types of pings 
against my web server.  

All activity is originating from different hosts during each scan 
cycle, but the same group of hosts is repeated during each cycle. 
See below for a sample of this activity: 

07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-10:25:02.339568  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-10:25:02.347032  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-10:25:02.352278  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-10:25:02.353595  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-10:25:02.362706  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-10:25:02.376253  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -> 
10.x.x.x 
07/19/02-10:25:02.386243  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-10:25:02.397752  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-10:25:02.404776  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-10:25:02.420922  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-10:25:02.454157  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 

07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-11:37:55.359533  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-11:37:55.362571  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-11:37:55.366961  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-11:37:55.369756  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-11:37:55.377139  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-11:37:55.402405  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-11:37:55.404888  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-11:37:55.425166  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-11:37:55.453302  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-11:37:55.464767  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 


Sincerely,  

L. Christopher Luther  
Technology Manager  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther () xybernaut com  
http://www.xybernautsolutions.com <http://www.xybernautsolutions.com>   

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get
<http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88>
&search=0x21261B88 

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

- ------------------------------------------------------------ 
Unsolicited commercial e-mail will automatically be reported 
to the appropriate abuse@ - without exception. 
- ------------------------------------------------------------ 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 7.1.1 

iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8 
evAYtpvA+WSilrl6CwKuX+Oh 
=lUhN 
-----END PGP SIGNATURE----- 


------_=_NextPart_001_01C22F3E.5D1E9B80
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ICMP PING speedera</TITLE>

<META content="MSHTML 5.50.4725.2100" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2>IMHO 
these rules are usefull in identifying specific programs doing the pinging. My 
first thought woudl be monitoring applications. I had this when I began runnign 
my IPCheck utility on my IDS subnet. The alert was "Delphi Ping". I used 
Foundstones "bintext' utility to search for teh text string in all binaries in 
the offending server, which picked up the string in my 
ipcheck.exe.</FONT></SPAN></DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff 
size=2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff 
size=2>hth,</FONT></SPAN></DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff 
size=2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=703020516-19072002><FONT face=Arial color=#0000ff size=2>John 
Hicks</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
  size=2>-----Original Message-----<BR><B>From:</B> L. Christopher Luther 
  [mailto:CLuther () Xybernaut com]<BR><B>Sent:</B> Friday, July 19, 2002 11:56 
  AM<BR><B>To:</B> 'snort-users () lists sourceforge net'<BR><B>Subject:</B> 
  [Snort-users] ICMP PING speedera<BR><BR></FONT></DIV>
  <P><FONT size=2></FONT> <BR><FONT size=2>-----BEGIN PGP SIGNED 
  MESSAGE-----</FONT> <BR><FONT size=2>Hash: SHA1</FONT> </P>
  <P><FONT size=2>Can anyone give me a good definition of what exactly a "ICMP 
  PING</FONT> <BR><FONT size=2>speedera" is?&nbsp; Snort on is detecting *many* 
  of these types of pings</FONT> <BR><FONT size=2>against my web server.&nbsp; 
  </FONT></P>
  <P><FONT size=2>All activity is originating from different hosts during each 
  scan</FONT> <BR><FONT size=2>cycle, but the same group of hosts is repeated 
  during each cycle. </FONT><BR><FONT size=2>See below for a sample of this 
  activity:</FONT> </P>
  <P><FONT size=2>07/19/02-10:25:02.329385&nbsp; [**] [1:480:2] ICMP PING 
  speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] 
  [Priority: 3] {ICMP} 64.14.117.10 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.339568&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.347032&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT size=2>- 
  -&gt; 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.352278&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.353595&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.362706&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT size=2>- 
  -&gt; 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.376253&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.386243&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.397752&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.404776&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.420922&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-10:25:02.454157&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> </P>
  <P><FONT size=2>07/19/02-11:37:55.348729&nbsp; [**] [1:480:2] ICMP PING 
  speedera [**]</FONT> <BR><FONT size=2>[Classification: Misc activity] 
  [Priority: 3] {ICMP} 64.14.117.10 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.359533&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.362571&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.114.157.130</FONT> <BR><FONT size=2>- 
  -&gt; 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.366961&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.369756&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.377139&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.253.104.235</FONT> <BR><FONT size=2>- 
  -&gt; 10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.402405&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.404888&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.425166&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.453302&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> <BR><FONT size=2>07/19/02-11:37:55.464767&nbsp; [**] 
  [1:480:2] ICMP PING speedera [**]</FONT> <BR><FONT size=2>[Classification: 
  Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -&gt;</FONT> <BR><FONT 
  size=2>10.x.x.x</FONT> </P><BR>
  <P><FONT size=2>Sincerely,&nbsp; </FONT></P>
  <P><FONT size=2>L. Christopher Luther&nbsp; </FONT><BR><FONT size=2>Technology 
  Manager&nbsp; </FONT><BR><FONT size=2>Xybernaut Solutions, Inc.&nbsp; 
  </FONT><BR><FONT size=2>(703) 506-0400 x230&nbsp; </FONT><BR><FONT 
  size=2>cluther () xybernaut com&nbsp; </FONT><BR><FONT size=2><A target=_blank 
  href="http://www.xybernautsolutions.com";>http://www.xybernautsolutions.com</A>&nbsp; 
  </FONT></P>
  <P><FONT size=2>My PGP Public Key:&nbsp; </FONT><BR><FONT size=2><A 
  target=_blank 
  
href="http://keyserver.pgp.com/pks/lookup?op=get&amp;search=0x21261B88";>http://keyserver.pgp.com/pks/lookup?op=get&amp;search=0x21261B88</A></FONT>
 
  </P>
  <P><FONT size=2>CONFIDENTIALITY NOTE:&nbsp; This communication contains 
  </FONT><BR><FONT size=2>information that is confidential and/or legally 
  privileged.&nbsp; </FONT><BR><FONT size=2>This information is intended only 
  for the use of the individual </FONT><BR><FONT size=2>or entity named on this 
  communication. If you are not the </FONT><BR><FONT size=2>intended recipient, 
  you are hereby notified that any disclosure, </FONT><BR><FONT size=2>copying, 
  distribution, printing or other use of, or any action </FONT><BR><FONT 
  size=2>in reliance on, the contents of this communication is strictly 
  </FONT><BR><FONT size=2>prohibited.&nbsp; If you receive this communication in 
  error, please </FONT><BR><FONT size=2>immediately notify us by telephone at 
  (703) 506-0400. </FONT></P>
  <P><FONT size=2>- 
  ------------------------------------------------------------</FONT> <BR><FONT 
  size=2>Unsolicited commercial e-mail will automatically be reported</FONT> 
  <BR><FONT size=2>to the appropriate abuse@ - without exception.</FONT> 
  <BR><FONT size=2>- 
  ------------------------------------------------------------</FONT> </P>
  <P><FONT size=2>-----BEGIN PGP SIGNATURE-----</FONT> <BR><FONT size=2>Version: 
  PGP 7.1.1</FONT> </P>
  <P><FONT 
  size=2>iQA/AwUBPTg2pau/XM0hJhuIEQJptQCg15BOhF3YIVTaJBp7H69Of5XSNrIAn2G8</FONT> 
  <BR><FONT size=2>evAYtpvA+WSilrl6CwKuX+Oh</FONT> <BR><FONT size=2>=lUhN</FONT> 
  <BR><FONT size=2>-----END PGP SIGNATURE-----</FONT> 
</P></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C22F3E.5D1E9B80--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: