Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:469 |
| Message | ICMP PING NMAP |
| Summary | This event is generated when an ICMP ping typically generated by nmap is detected. |
| Impact | This could indicate a full scan by nmap which is sometimes indicative of potentially malicious behavior. |
| Detailed Information | Nmap's ICMP ping, by default, sends zero data as part of the ping. Nmap typically pings the host via icmp if the user has root privileges, and uses a tcp-ping otherwise. |
| Affected Systems | |
| Attack Scenarios | As part of an information gathering attempt, an attacker may use nmap to see what hosts are alive on a given network. If nmap is used for portscanning as root, the icmp ping will occur by default unless the user specifies otherwise (via '-P0'). |
| Ease of Attack | Trivial. Nmap requires little or no skill to operate. |
| Corrective Action | If you detect other suspicous traffic from this host (i.e., a portscan), follow standard procedure to assess what threat this may pose. If you only detect the icmp ping, this may have simply been a 'ping sweep' and may be ignored. |
| Additional References | www.insecure.org |
| Rule References | arachnids: 162 |
--
DID:132787
--
http://www.aanval.com/