GEN:SID 1:387
Message ICMP Address Mask Reply undefined code
Summary This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks.
Impact Information gathering.
Detailed Information If an attacker sends an ICMP request to an internal server for address mask information (SID 389 should trigger when this activity is seen), an internal server may reply with subnet mask information.  This can provide an attacker with information about subnet mask configuration that can be useful for future attacks.
Affected Systems Any system that responds to ICMP address mask requests.
Attack Scenarios An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration.
Ease of Attack Simple. Tools that use this method of information gathering are freely available.
Corrective Action Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network.
Additional References CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524

ArachNIDS
http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216