Hi Paul, I checked at the whatsup server and noticed that we didn't add in additional servers to be monitored. I guess the ping sweep must have hit the threshold. Can you further explain about this threshold? Thanks
Hee Kiong Lau Danawan Technologies Sdn Bhd Tel: +673-2237777 Fax: +673-2237778 Mobile: +673-8712237 Palmer, Paul (ISSAtlanta) wrote: >The Ping_Sweep algorithm has not changed recently. So, the change in >behavior would not be from a recently introduced false positive in the >algorithm. In addition, it sounds like the event is legitimate. I >recommend using event filters to disable Ping_Sweep events from your >Whats Up server. > >The Ping_Sweep algorithm recognizes ping sweeps using a two stage >algorithm for efficiency. The first stage is an efficient statistical >algorithm that allows the IDS to use very few resources to monitor large >numbers of network devices. This first stage is somewhat lossy (in much >the same a JPEG image is lossy). Any potential intruders identified by >the first stage are passed to the second stage in which a more detailed >and expensive deterministic analysis is performed. My guess is that >prior to 2 months ago, the level of activity that your Whats Up server >generated was just under the threshold for the first stage of the >algorithm. About 2 months ago, either you added another remote server to >monitor or some other seemingly minor changed occurred (a change in the >IP address of a remote server for instance) that change the results >within the statistical first stage enough to exceed its thresholds. > >Paul > >-----Original Message----- >From: [EMAIL PROTECTED] On Behalf Of Hee Kiong >Sent: Tuesday, October 04, 2005 4:10 AM >To: [EMAIL PROTECTED] >Subject: [ISSForum] Ping Sweep > > >Hi, > >I have a server running whatsup application that monitors various >servers at a remote site by using ICMP ping. The whatsup server will >poll those servers every minute. I have an IDS installed at the remote >site to monitor the incoming and outgoing traffics. The whatsup server >has been running for about 1 1/2 years and only recently (2 months ago) >I saw the ping sweep events showed at the remote IDS. The event showed >me that the source IP is from the whatsup server and the destination IP >addresses are those various servers at the remote site. The whatsup >server is doing the ICMP sweep those servers and it is a valid event > >I would like to know why this happens only just recently whereas I >should see this event on the first day I got the whatsup server in >place. Is it possible that this is false positive reports? How can you >show that it is a false positive events? Hope to get some help here. >Thanks > > > > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
