1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
Rule:
--
Sid:
482
--
Summary:
This event is generated when an ICMP echo request is made from a Windows host running Whatsup Gold software.
--
Impact:
Information gathering. An ICMP echo request can determine if a host is active.
--
Detailed Information:
An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Whatsup Gold software contains a unique payload in the message request.
--
Affected Systems:
All
--
Attack Scenarios:
An attacker may attempt to determine live hosts in a network prior to launching an attack.
--
Ease of Attack:
Simple
--
False Positives:
An ICMP echo request may be used to legimately troubleshoot networking problems.
--
False Negatives:
None known.
--
Corrective Action:
Block inbound ICMP echo requests.
--
Contributors:
Original rule written by Max Vision <vision@whitehats.org>
Documented by Steven Alexander<alexander.s@mccd.edu>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
--
Additional References:
Arachnids:
http://www.whitehats.com/info/IDS168
--
|
