GEN:SID | 1:469 |
Message | ICMP PING NMAP |
Summary | This event is generated when an ICMP ping typically generated by nmap is detected.
|
Impact | This could indicate a full scan by nmap which is sometimes indicative of potentially malicious behavior.
|
Detailed Information | Nmap's ICMP ping, by default, sends zero data as part of the ping. Nmap typically pings the host via icmp if the user has root privileges, and uses a tcp-ping otherwise.
|
Affected Systems | |
Attack Scenarios | As part of an information gathering attempt, an attacker may use nmap to see what hosts are alive on a given network. If nmap is used for portscanning as root, the icmp ping will occur by default unless the user specifies otherwise (via '-P0').
|
Ease of Attack | Trivial. Nmap requires little or no skill to operate.
|
Corrective Action | If you detect other suspicous traffic from this host (i.e., a portscan), follow standard procedure to assess what threat this may pose. If you only detect the icmp ping, this may have simply been a 'ping sweep' and may be ignored.
|
Additional References | www.insecure.org
|
Rule References | arachnids: 162
|