OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eric Kimminau (rootKIMMINAU.ORG)
Date: Mon Jan 29 2001 - 16:01:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Mon, 29 Jan 2001, Cristian Dumitrescu wrote:

    > Date: Mon, 29 Jan 2001 11:58:13 +0200
    > From: Cristian Dumitrescu <omegaLUMINA.RO>
    > To: INCIDENTSSECURITYFOCUS.COM
    > Subject: PING Nmap2.36BETA
    >
    > Hey !
    >
    > My router got hit with over 200 PING Nmap2.36BETA pings, on 01/27 form
    > 13:08 ... until 17:30. Aparently, they all came from random hosts ( i
    > conted over 150 different hosts ).
    > Could someone explain the purpose of these pings ?
    > It can't be a DoS, becouse of the time interval between them (from a
    > few secs to 2-10 mins)
    > I don't think it's a scan becouse of the increased randomness of the
    > sources.

    http://www.insecure.org/nmap/

    http://www.whitehats.com/IDS/162

    This is the rule that produces this alert:

    alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING
    Nmap2.36BETA"; dsize: 0; itype: 8; )

    It matches whenever there is an incoming ICMP packet whose data
    size of the packet is 0 and whose ICMP type is 8 (echo request I
    believe).
    It does not necessarily mean that someone is running Nmap on you.
    Any packet that meets the description I gave will produce the
    alert.
    "IDSnnn" in a message means that there is information available
    about that signature on the arachNIDS database. See
        http://www.whitehats.com and in particular
        http://www.whitehats.com/IDS/162

    NMAP -- The Network Mapper
    "If your goal is to understand your network from a 40,000-foot view,
    then Windows port scanning tools will suffice. But if you're serious
    about your security and looking for the holes that crackers will find,
    then take the time to install a Linux box and use nmap." -- Info World

    nmap is a utility for port scanning large networks, although it works
    fine for single hosts. The guiding philosophy for the creation of nmap
    was TMTOWTDI (There's More Than One Way To Do It). This is the Perl
    slogan, but it is equally applicable to scanners. Sometimes you need
    speed, other times you may need stealth. In some cases, bypassing
    firewalls may be required. Not to mention the fact that you may want
    to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do
    all this with one scanning mode. And you don't want to have 10
    different scanners around, all with different interfaces and
    capabilities.