In Microsoft world every machine produce Ping_Sweep and I don't know
why, I think it's false positives. In this case (most of my servers are
Windows and almost all workstations a Windows too) I think Ping_sweep
signature completely unhelpful.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50
tel +7 095 777 77 07 (1613)
-----Original Message-----
From: issforum-bounces@iss.net
[mailto:issforum-bounces@iss.net] On Behalf Of Hee Kiong
Sent: Saturday, October 08, 2005 5:33 AM
To: Palmer, Paul (ISSAtlanta)
Cc: issforum@atla-mm1.iss.net
Subject: Re: [ISSForum] Ping Sweep
Hi Paul,
Is there any update on the algorithm that I am requesting
from you? Thanks
Hee Kiong Lau
Danawan Technologies Sdn Bhd
Tel: +673-2237777
Fax: +673-2237778
Mobile: +673-8712237
Palmer, Paul (ISSAtlanta) wrote:
The Ping_Sweep algorithm has not changed recently. So, the change in
behavior would not be from a recently introduced false
positive in the
algorithm. In addition, it sounds like the event is legitimate. I
recommend using event filters to disable Ping_Sweep events from your
Whats Up server.
The Ping_Sweep algorithm recognizes ping sweeps using a two stage
algorithm for efficiency. The first stage is an efficient
statistical
algorithm that allows the IDS to use very few resources to monitor
large numbers of network devices. This first stage is somewhat lossy
(in much the same a JPEG image is lossy). Any potential intruders
identified by the first stage are passed to the second stage
in which a
more detailed and expensive deterministic analysis is performed. My
guess is that prior to 2 months ago, the level of activity that your
Whats Up server generated was just under the threshold for the first
stage of the algorithm. About 2 months ago, either you added another
remote server to monitor or some other seemingly minor
changed occurred
(a change in the IP address of a remote server for instance) that
change the results within the statistical first stage enough
to exceed its thresholds.
Paul
-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of Hee Kiong
Sent: Tuesday, October 04, 2005 4:10 AM
To: issforum@atla-mm1.iss.net
Subject: [ISSForum] Ping Sweep
Hi,
I have a server running whatsup application that monitors various
servers at a remote site by using ICMP ping. The whatsup server will
poll those servers every minute. I have an IDS installed at
the remote
site to monitor the incoming and outgoing traffics. The
whatsup server
has been running for about 1 1/2 years and only recently (2
months ago)
I saw the ping sweep events showed at the remote IDS. The
event showed
me that the source IP is from the whatsup server and the
destination IP
addresses are those various servers at the remote site. The whatsup
server is doing the ICMP sweep those servers and it is a valid event
I would like to know why this happens only just recently whereas I
should see this event on the first day I got the whatsup server in
place. Is it possible that this is false positive reports?
How can you
show that it is a false positive events? Hope to get some help here.
Thanks
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet
Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
