Snort mailing list archives

RE: ICMP Ping NMAP troubleshooting

From: "Stephen W. Thomas" <swthomas () techsoft com>
Date: Tue, 20 May 2003 09:00:10 -0500

Yes we have a network monitor but we've already filtered pings generated from that system out. These pings are coming 
from all of our W2K servers to one specific server, our DNS/Windows Terminal server.
 
All of these systems, includeing the snort setup are behind our firewall as well as our snort box. We decided it would 
not benifit us to put snort outside our firewall. We want to montitor what's getting through on to our internal network.
 
Thanks,
Steve

        -----Original Message----- 
        From: Simon Gray [mailto:simong () desktop-guardian com] 
        Sent: Tue 5/20/2003 8:52 AM 
        To: Stephen W. Thomas; snort-users () lists sourceforge net 
        Cc: 
        Subject: Re: [Snort-users] ICMP Ping NMAP troubleshooting
        
        

        Are you running any form of server checking software?
        
        Some of those tend to use pings to check if host it up.
        
        Could you not filter out external -> internal pings via a firewall?
        ----- Original Message -----
        From: "Stephen W. Thomas" <swthomas () techsoft com>
        To: <snort-users () lists sourceforge net>
        Sent: Tuesday, May 20, 2003 2:08 PM
        Subject: [Snort-users] ICMP Ping NMAP troubleshooting
        
        
        > I've just setup a snort & acid setup on our company network. I've noticed
        a lot of ICMP Ping NMAP hits coming from our servers and going to our W2K
        DNS/Terminal server. I'd like to find out if this is normal or what is
        generating the pings but I'm not sure how to track a packet with no payload
        back to it's source program. Also, if it's normal for my network, then what
        do most people recommend?
        >
        > A. Ignore the thousands of hits it gets
        > B. Disable that one rule for the one destination.
        >
        > Any comments would be appreciated.
        >
        > Thanks,
        > Steve
        > NHYX銲un7+~V
        > /u뙩ʋjƊjطj؝jj vv
        > 蒋9rԢ
        > >ںJ   y˶벋q箞ǲf)+Jz ۢy j鴢رDjxǢ{鹻&۳ qz  X) Jz rz֧  Wr

Current thread:

ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- Re: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- Re: ICMP Ping NMAP troubleshooting Simon Gray (May 20)
- <Possible follow-ups>
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
  - RE: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
  - RE: ICMP Ping NMAP troubleshooting [snort-users-admin () lists sourceforge net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] ['snort' in Pass-Through List] Erek Adams (May 20)