Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:476 |
| Message | ICMP webtrends scanner |
| Summary | This event is generated when Webtrends Security Scanner generates an ICMP echo request message. |
| Impact | ICMP echo requests are used to determine if a host is running at a specific IP address. A remote attacker can scan a large range of hosts using ICMP echo requests to determine what hosts are operational on the network. |
| Detailed Information | Webtrends Ecurity Scanner generates a ICMP Echo Request message containing the following hex signature: |00000000454545454545454545454545| By searching for this string in a packet, it is possible to determine the type of host that generated the request. |
| Affected Systems | |
| Attack Scenarios | A remote attacker might scan a large range of hosts using ICMP echo requests to determine what hosts are operational on the network. |
| Ease of Attack | Simple. The "ping" utility found on most operating systems can generate these types of ICMP messages. |
| Corrective Action | To prevent information gathering, use a firewall to block incoming ICMP Type 8 Code 0 traffic. |
| Additional References | http://www.whitehats.com/info/IDS307 |
| Rule References | arachnids: 307 |
--
DID:650669
--
http://www.aanval.com/