Network Security: Detailed info on [Snort-sigs] false positive

Subject:	[Snort-sigs] false positive
Date:	Mon, 6 Dec 2004 10:23:37 -0600

Meta    ID #
Time
Triggered Signature

6 - 6
2004-11-09 15:04:45
[arachNIDS <http://www.whitehats.com/info/ids154> ][snort
<http://www.snort.org/snort-db/sid.html?sid=483> ] ICMP PING CyberKit
2.2 Windows

        
        Sensor
name
interface
filter


unknown:fxp0
fxp0
 none 

        
        Alert
Group
  none 

        

IP      source addr
  dest addr  
Ver
Hdr Len
TOS
length
ID
flags
offset
TTL
chksum

10.2.2.2
10.1.1.1
4
5
0
84
41868
0
0
238
44968

        
        FQDN
Source Name
Dest. Name


 Unable to resolve address 
mail

        
        Options
    none 

        

ICMP    type
code
checksum
id
seq #

(8) Echo Request
(0) 0
10031



        
        

Payload          length = 56

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
030 : AA AA AA AA AA AA AA AA                           ........        
        


GEN:SID          1:483
Message         ICMP PING CyberKit 2.2 Windows
Rule    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA|"; depth:32; reference:arachnids,154;
classtype:misc-activity; sid:483; rev:5;)
Summary         This event is generated when an ICMP echo request is
made from a Windows host running CyberKit 2.2 software.
Impact  Information gathering.  An ICMP echo request can determine if a
host is active.
Detailed Information    An ICMP echo request is used by the ping command
to elicit an ICMP echo reply from a listening live host.  An echo
request that originates from a Windows host running CyberKit 2.2
software contains a unique payload in the message request.
Affected Systems        All
Attack Scenarios        An attacker may attempt to determine live hosts
in a network prior to launching an attack.
Ease of Attack  Simple
False Positives         An ICMP echo request may be used to legimately
troubleshoot networking problems.
If you think this rule has a false positives, please help fill it out.
False Negatives         None known.
If you think this rule has a false negatives, please help fill it out.
Corrective Action       Block inbound ICMP echo requests.
Contributors    Original rule written by Max Vision
<vision@whitehats.org>
Documented by Steven Alexander<alexander.s@mccd.edu>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
Additional References   http://www.whitehats.com/info/IDS154
Rule References         arachnids: 154


The above rule is getting a false positive when a ping from BigBrother
running on Win32 (10.2.2.2) is pinging 10.1.1.1. Both systems are behind
CheckPoint firewalls. Let me know if you need more info.

Chris Luhman 
IT Administrator 
Minnesota Health Licensing Boards 
2829 University Ave SE, Suite 310 
Minneapolis, MN 55414-3222 
(612) 627-5428
(612) 627-5442 FAX

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] false positive, Chris Luhman <=

Previous by Date:	[Snort-sigs] Rule FP, possible fix, Giles Coochey
Next by Date:	Re: [Snort-sigs] Rule FP, possible fix, warwick ackfin
Previous by Thread:	[Snort-sigs] Rule FP, possible fix, Giles Coochey
Next by Thread:	*[Snort-sigs] False positive in 1777.6 (FTP EXPLOIT STAT dos attempt)*, nnposter*
Indexes:	[Date] [Thread] [Top] [All Lists]