The Ping_Sweep algorithm has not changed recently. So, the change in behavior would not be from a recently introduced false positive in the algorithm. In addition, it sounds like the event is legitimate. I recommend using event filters to disable Ping_Sweep events from your Whats Up server.
The Ping_Sweep algorithm recognizes ping sweeps using a two stage algorithm for efficiency. The first stage is an efficient statistical algorithm that allows the IDS to use very few resources to monitor large numbers of network devices. This first stage is somewhat lossy (in much the same a JPEG image is lossy). Any potential intruders identified by the first stage are passed to the second stage in which a more detailed and expensive deterministic analysis is performed. My guess is that prior to 2 months ago, the level of activity that your Whats Up server generated was just under the threshold for the first stage of the algorithm. About 2 months ago, either you added another remote server to monitor or some other seemingly minor changed occurred (a change in the IP address of a remote server for instance) that change the results within the statistical first stage enough to exceed its thresholds. Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Hee Kiong Sent: Tuesday, October 04, 2005 4:10 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Ping Sweep Hi, I have a server running whatsup application that monitors various servers at a remote site by using ICMP ping. The whatsup server will poll those servers every minute. I have an IDS installed at the remote site to monitor the incoming and outgoing traffics. The whatsup server has been running for about 1 1/2 years and only recently (2 months ago) I saw the ping sweep events showed at the remote IDS. The event showed me that the source IP is from the whatsup server and the destination IP addresses are those various servers at the remote site. The whatsup server is doing the ICMP sweep those servers and it is a valid event I would like to know why this happens only just recently whereas I should see this event on the first day I got the whatsup server in place. Is it possible that this is false positive reports? How can you show that it is a false positive events? Hope to get some help here. Thanks -- Hee Kiong Lau Danawan Technologies Sdn Bhd Tel: +673-2237777 Fax: +673-2237778 Mobile: +673-8712237 _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
