Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP Ping NMAP

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 30 Jul 2002 20:26:23 -0400
Hi Vinay,

I know that this traffic appears to look like some sort of traceroute, but I
don't
believe that it is. This traffic is coming from way to many hosts destined
to the same 
host. The traffic is also not repeting over in any way (9 packets and that's
it). I am starting to think that it has something to do with when a user is
logging in to my network, maybe something like AOL trying to see if it can
contact the AOL network maybe?

vjl

-----Original Message-----
From: Vinay A. Mahadik [mailto:VAMahadik () lbl gov]
Sent: Tuesday, July 30, 2002 6:54 PM
To: larosa, vjay
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] ICMP Ping NMAP


"larosa, vjay" wrote:


Hello Everyone,

Unfortunately I am still working on this same problem. I do have some more
information
to share so maybe some one out there can help me solve this problem. Here
are the
characteristics,



I could be wrong but it looks like a custom traceroute-like tool to me..
perhaps your firewall blocks UDP high ports etc?..

This actually reminds of a question I think I had posted before and was
never answered.. what's the point in having signatures for *tools* of
reconnaissance (nmap, queso etc). E.g. in this case, assuming it is a
scan, and knowing that the TTL is changing, the attacker is probably
root and thus can randomize most of the headers/fields that are
irrelevant to scanning. Simply because some nice/standard scanners use
specific tags/marks shouldn't mean an IDS should include rules for all
such that are created ever? There are so many such rules in Snort.. and
I fail to see how such sigs are useful given the overhead in searching
through all (an increasing number) of them..

Any thoughts?

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: