Re: NMAP alerts

[Maarten Van Horenbeeck <maarten () daemon be>]

Hi Bob,

> I've been noticing a few PC's on our network generating large numbers of
> NMAP alerts (icmp ping nmap). It seems to be caused by "CNet Download
> Manager". I found this app loaded on two PCs generating the alert and,
> after removing it, the alerts appear to have disappeared. Has anyone else
> encountered a similar problem?

This is perfectly normal.  The Kontiki download manager (which is used by
CNET as well), sends an ICMP echo request with 0 bytes of data to the
default gateway every two seconds.  It most likely does this to assess how
good your local connection is, as part of a metric for its "secure
delivery network".  However, if you disable use of the SDN, the ICMP
packets will still continue to be transmit.

There is a small description in the signature documentation itself:
http://www.snort.org/snort-db/sid.html?sid=469

Best regards,
Maarten

--
Maarten Van Horenbeeck
maarten () daemon be


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users