Snort mailing list archives

RE: ICMP PING CyberKit 2.2 Windows

From: "Yackley, Matt" <Matt.Yackley () perkinswill com>
Date: Tue, 19 Aug 2003 22:22:33 -0500

Stevo,
The W32.Welchia.Worm (Symantec) is causing these alerts.  The worm pings the
target machine before sending its RPC DCOM exploit packets, these pings
contain the payload that matchs the Cyberkit tools ping signature.  There
isn't much you can do to block these other than blocking ICMP ping requests
at your border routers or turning off that rule.
 
-matt

-----Original Message----- 
From: Stevo [mailto:checkpoint () ozbergs com] 
Sent: Tue 8/19/2003 7:30 PM 
To: snort-users () lists sourceforge net 
Cc: 
Subject: [Snort-users] ICMP PING CyberKit 2.2 Windows



Guys, 

So what's the deal with the 72000 odd ICMP PING CyberKit 2.2 Windows alerts 
I've got in the past few days??  It's frickin crazy...  I've read the posts 
on here, but what is actually causing this and is there anything I can do at

my perimeter to stop these ICMP messages hitting my network?? 

It's just annoying and I don't want to remove the rule that picks up on the 
ICMP PING CyberKit 2.2 Windows!! 

Ideas?? 

Stevo 




------------------------------------------------------- 
This SF.net email is sponsored by Dice.com. 
Did you know that Dice has over 25,000 tech jobs available today? From 
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the 
best hiring companies. http://www.dice.com/index.epl?rel_code=104
<http://www.dice.com/index.epl?rel_code=104>  
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>  



-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: ICMP PING CyberKit 2.2 Windows, (continued)
- RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 20)
- RE: ICMP PING CyberKit 2.2 Windows nelsbels (Aug 20)
  - RE: RE: ICMP PING CyberKit 2.2 Windows Eric Greenberg (Aug 20)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Mike Feetham (Aug 20)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 20)
    - Re: RE: ICMP PING CyberKit 2.2 Windows Michael Anderson (Aug 21)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Arvind Clemente (Aug 21)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 22)
    - Re: RE: ICMP PING CyberKit 2.2 Windows Wes Zuber (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: ICMP PING CyberKit 2.2 Windows Yackley, Matt (Aug 19)
- RE: RE: ICMP PING CyberKit 2.2 Windows L. Christopher Luther (Aug 20)
- RE: ICMP PING CyberKit 2.2 Windows JP Vossen (Aug 21)
- RE: ICMP PING CyberKit 2.2 Windows Tony Bunce (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Alexander Hampel (Aug 25)
  - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Jade E. Deane (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows twig les (Aug 25)