Sid 1-469

Summary

This event is generated when an ICMP ping typically generated by nmap is detected.

Impact

This could indicate a full scan by nmap which is sometimes indicative of potentially malicious behavior.

Detailed information

Nmap's ICMP ping, by default, sends zero data as part of the ping. Nmap typically pings the host via icmp if the user has root privileges, and uses a tcp-ping otherwise.

Attack scenarios

As part of an information gathering attempt, an attacker may use nmap to see what hosts are alive on a given network. If nmap is used for portscanning as root, the icmp ping will occur by default unless the user specifies otherwise (via '-P0').

Ease of attack

Trivial. Nmap requires little or no skill to operate.

False positives

Possible. The only current identifying feature of nmap's ICMP ping is that the data size is 0. It is entirely possible that other tools may send icmp pings with zero data.

Kontiki delivery manager used on windows platforms to download multimedia files is known to produce ICMP pings that can cause this rule to generate many events.

avast! antivirus update feature is reported to produce ICMP pings with zero data when connecting to the avast servers. This can occur every 40 seconds if no reply is received by the client.

The avast! client attempts to ping one of the following servers:

URL: http://www.asw.cz/iavs4pro IP: 195.70.130.34

URL: http://www.avast.com/iavs4pro IP: 66.98.166.72

URL: http://www.iavs.net/iavs4pro IP: 207.44.156.15

URL: http://www.iavs.cz/iavs4pro IP: 62.168.45.69

False negatives

None currently.

Corrective action

If you detect other suspicous traffic from this host (i.e., a portscan), follow standard procedure to assess what threat this may pose. If you only detect the icmp ping, this may have simply been a 'ping sweep' and may be ignored.

Contributors

Additional references