Snort mailing list archives

RE: ICMP PING CyberKit 2.2 Windows

From: "Tony Bunce" <tonyb () go-concepts com>
Date: Fri, 22 Aug 2003 00:41:10 -0400

We are also getting lots of these you may want to watch your network as
it appears that this is causing some major problems with TNT dialup
boxes

http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
has some info about it

Apparently each one of those 91byte pings generates an arp request and
some devices aren't handling such a large number of arp request too well

Thanks,
Tony B, CCNA, Network+
Systems Administration
GO Concepts, Inc. / www.go-concepts.com
Are you on the GO yet?
What about those you know, are they on the GO?
513.934.2800
1.888.ON.GO.YET


-----Original Message-----
From: JP Vossen [mailto:vossenjp () netaxs com] 
Sent: Thursday, August 21, 2003 5:18 PM
To: snort-users () lists sourceforge net
Cc: mike.feetham () percepta-crm com
Subject: RE: [Snort-users] ICMP PING CyberKit 2.2 Windows

From: "Mike Feetham" <mike.feetham () percepta-crm com>
To: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows
Date: Wed, 20 Aug 2003 12:32:40 -0400

Between Monday and Tuesday we saw over 10,000 hits on our Class C.  =
Between yesterday and today that number dropped to about 3,000.

Today,

we're = not seeing any.  My only guess is that our ISPs are blocking

them

= (Allstream, and Worldcom).  Has anyone else seen this behaviour?


As other posters have indicated, it has not slacked off elsewhere.  In
fact,
my Snort/ACID honeypot numbers show it getting worse if anything!  This
is on
my iDSL backup link, so we are talking about a small link in a broadband
IP segment, just to give an idea of proportion.

Note I am counting PACKETS here, *not* the CyberKit rule.  See the query
below.

<honeypot stats>
Date        Packets   Per_Hour  Est_Attacks
2003-08-01      13      0.54    6.50
2003-08-02      8       0.33    4.00
2003-08-03      11      0.46    5.50
2003-08-04      9       0.38    4.50
2003-08-05      47      1.96    23.50
2003-08-06      67      2.79    33.50
2003-08-07      11      0.46    5.50
2003-08-08      12      0.50    6.00
2003-08-09      12      0.50    6.00
2003-08-10      37      1.54    18.50
2003-08-11      768     32.00   384.00
2003-08-12      1698    70.75   849.00
2003-08-13      1142    47.58   571.00
2003-08-14      1218    50.75   609.00
2003-08-15      1097    45.71   548.50
2003-08-16      1009    42.04   504.50
2003-08-17      952     39.67   476.00
2003-08-18      2440    101.67  1220.00
2003-08-19      3989    166.21  1994.50
2003-08-20      4606    191.92  2303.00
2003-08-21      3235    190.29  1617.50

Current up to: 2003-08-21 17:10:16-0400
Note 1: Est_Attacks assumes 2 packets per attack. That is--an ESTIMATE!
Note 2: The last entry (time-to-present) is also a rough estimate...
<honeypot stats>

Note this is just an SQL query of an ACID table in a shell script.  I'll
post
or e-mail the whole thing if anyone cares, but here's the guts:

...
START=${1:-2003-08-01}
END=${2:-`date +%Y-%m-%d`}
...
mysql snort <<SQL | tee daily.txt
SELECT DATE_FORMAT(timestamp, '%Y-%m-%d') AS Date,
COUNT(*) AS Packets, (COUNT(*)/24) AS Per_Hour, (COUNT(*)/2) AS
Est_Attacks
FROM acid_event WHERE ((layer4_dport = 135 and ip_proto = 6) AND
(timestamp BETWEEN '${START}' AND '${END}')) GROUP BY Date;
SQL
...


Later,
JP
------------------------------|:::======|-------------------------------
-
JP Vossen, CISSP              |:::======|
jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|
http://www.jpsdomain.org/
------------------------------|=========|-------------------------------
-
"The software said it requires Windows XP or better, so I installed
Linux..."



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click
here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: RE: ICMP PING CyberKit 2.2 Windows, (continued)
- - - RE: RE: ICMP PING CyberKit 2.2 Windows Mike Feetham (Aug 20)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 20)
    - Re: RE: ICMP PING CyberKit 2.2 Windows Michael Anderson (Aug 21)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Arvind Clemente (Aug 21)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 22)
    - Re: RE: ICMP PING CyberKit 2.2 Windows Wes Zuber (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: ICMP PING CyberKit 2.2 Windows Yackley, Matt (Aug 19)
- RE: RE: ICMP PING CyberKit 2.2 Windows L. Christopher Luther (Aug 20)
- RE: ICMP PING CyberKit 2.2 Windows JP Vossen (Aug 21)
- RE: ICMP PING CyberKit 2.2 Windows Tony Bunce (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Alexander Hampel (Aug 25)
  - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Jade E. Deane (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows twig les (Aug 25)