From: Hee Kiong (kiongdanawan.com)
Date: Fri Oct 07 2005 - 20:32:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Paul,

Is there any update on the algorithm that I am requesting from you? Thanks

Hee Kiong Lau
Danawan Technologies Sdn Bhd
Tel: +673-2237777
Fax: +673-2237778
Mobile: +673-8712237

Palmer, Paul (ISSAtlanta) wrote:

>The Ping_Sweep algorithm has not changed recently. So, the change in
>behavior would not be from a recently introduced false positive in the
>algorithm. In addition, it sounds like the event is legitimate. I
>recommend using event filters to disable Ping_Sweep events from your
>Whats Up server.
>
>The Ping_Sweep algorithm recognizes ping sweeps using a two stage
>algorithm for efficiency. The first stage is an efficient statistical
>algorithm that allows the IDS to use very few resources to monitor large
>numbers of network devices. This first stage is somewhat lossy (in much
>the same a JPEG image is lossy). Any potential intruders identified by
>the first stage are passed to the second stage in which a more detailed
>and expensive deterministic analysis is performed. My guess is that
>prior to 2 months ago, the level of activity that your Whats Up server
>generated was just under the threshold for the first stage of the
>algorithm. About 2 months ago, either you added another remote server to
>monitor or some other seemingly minor changed occurred (a change in the
>IP address of a remote server for instance) that change the results
>within the statistical first stage enough to exceed its thresholds.
>
>Paul
>
>-----Original Message-----
>From: issforum-bouncesatla-mm1.iss.net On Behalf Of Hee Kiong
>Sent: Tuesday, October 04, 2005 4:10 AM
>To: issforumatla-mm1.iss.net
>Subject: [ISSForum] Ping Sweep
>
>
>Hi,
>
>I have a server running whatsup application that monitors various
>servers at a remote site by using ICMP ping. The whatsup server will
>poll those servers every minute. I have an IDS installed at the remote
>site to monitor the incoming and outgoing traffics. The whatsup server
>has been running for about 1 1/2 years and only recently (2 months ago)
>I saw the ping sweep events showed at the remote IDS. The event showed
>me that the source IP is from the whatsup server and the destination IP
>addresses are those various servers at the remote site. The whatsup
>server is doing the ICMP sweep those servers and it is a valid event
>
>I would like to know why this happens only just recently whereas I
>should see this event on the first day I got the whatsup server in
>place. Is it possible that this is false positive reports? How can you
>show that it is a false positive events? Hope to get some help here.
>Thanks
>
>
>
>

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforumiss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]