Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Re: FP: sid: 469 - ICMP PING NMAP

from [Nigel Houghton] Network Security [Permanent Link]
Subject: [Snort-sigs] Re: FP: sid: 469 - ICMP PING NMAP
Date: Fri, 31 Mar 2006 11:06:46 -0600 
 0, jynx <jynx@icurnet.com>:

I have noticed a false pos from Win2k PCs talking to MS Active Directory
Servers. Below is the missing template information.

 

--
False Positives:        Workstations communicating with Microsoft Active
Directory Servers will cause false positives for this sid.


Thank you for your report, here is the full false positive information
that already exists in the document:

--------------------------------------------------------------------

False Positives:
Possible.  The only current identifying feature of nmap's ICMP ping is
that the data size is 0.  It is entirely possible that other tools may
send icmp pings with zero data.

Kontiki delivery manager used on windows platforms to download
multimedia files is known to produce ICMP pings that can cause this
rule to generate many events.

avast! antivirus update feature is reported to produce ICMP pings with
zero data when connecting to the avast servers. This can occur every 40
seconds if no reply is received by the client.

The avast! client attempts to ping one of the following servers:

URL: http://www.asw.cz/iavs4pro
IP: 195.70.130.34

URL: http://www.avast.com/iavs4pro
IP: 66.98.166.72

URL: http://www.iavs.net/iavs4pro
IP: 207.44.156.15

URL: http://www.iavs.cz/iavs4pro
IP: 62.168.45.69

--------------------------------------------------------------------

If your information can be verified, we will add it to the document.
Please make sure your variables are set correctly, the rule is designed
to only generate an event from hosts outside the internal network, if
the PCs in question are outside the HOME_NET and the AD server is on the
HOME_NET, this may be the cause of the false positive event.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] FP: sid: 469 - ICMP PING NMAP, jynx
Previous by Thread:  [Snort-sigs] FP: sid: 469 - ICMP PING NMAP, jynx
Indexes:  [Date] [Thread] [Top] [All Lists]