I differ on this. The ping_sweep signature is very helpful for me and may be indicative of any of the following:
1. Virus infection/spyware 2. Mis-configured SNMP agent/server service 3. Network monitoring software (manager or agent) My 2 cents Michael Mundi (703) 607-8455 DSN 327-8455 Computer Network Defense (CND) Security Engineer, Contractor [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Soldatov, Sergey V. Sent: Tuesday, October 18, 2005 11:46 AM To: Hee Kiong; Palmer, Paul (ISSAtlanta) Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] Ping Sweep In Microsoft world every machine produce Ping_Sweep and I don't know why, I think it's false positives. In this case (most of my servers are Windows and almost all workstations a Windows too) I think Ping_sweep signature completely unhelpful. --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 tel +7 095 777 77 07 (1613) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Hee Kiong > Sent: Saturday, October 08, 2005 5:33 AM > To: Palmer, Paul (ISSAtlanta) > Cc: [EMAIL PROTECTED] > Subject: Re: [ISSForum] Ping Sweep > > Hi Paul, > > Is there any update on the algorithm that I am requesting > from you? Thanks > > > Hee Kiong Lau > Danawan Technologies Sdn Bhd > Tel: +673-2237777 > Fax: +673-2237778 > Mobile: +673-8712237 > > > > Palmer, Paul (ISSAtlanta) wrote: > > >The Ping_Sweep algorithm has not changed recently. So, the change in > >behavior would not be from a recently introduced false > positive in the > >algorithm. In addition, it sounds like the event is legitimate. I > >recommend using event filters to disable Ping_Sweep events from your > >Whats Up server. > > > >The Ping_Sweep algorithm recognizes ping sweeps using a two stage > >algorithm for efficiency. The first stage is an efficient > statistical > >algorithm that allows the IDS to use very few resources to monitor > >large numbers of network devices. This first stage is somewhat lossy > >(in much the same a JPEG image is lossy). Any potential intruders > >identified by the first stage are passed to the second stage > in which a > >more detailed and expensive deterministic analysis is performed. My > >guess is that prior to 2 months ago, the level of activity that your > >Whats Up server generated was just under the threshold for the first > >stage of the algorithm. About 2 months ago, either you added another > >remote server to monitor or some other seemingly minor > changed occurred > >(a change in the IP address of a remote server for instance) that > >change the results within the statistical first stage enough > to exceed its thresholds. > > > >Paul > > > >-----Original Message----- > >From: [EMAIL PROTECTED] On Behalf Of Hee Kiong > >Sent: Tuesday, October 04, 2005 4:10 AM > >To: [EMAIL PROTECTED] > >Subject: [ISSForum] Ping Sweep > > > > > >Hi, > > > >I have a server running whatsup application that monitors various > >servers at a remote site by using ICMP ping. The whatsup server will > >poll those servers every minute. I have an IDS installed at > the remote > >site to monitor the incoming and outgoing traffics. The > whatsup server > >has been running for about 1 1/2 years and only recently (2 > months ago) > >I saw the ping sweep events showed at the remote IDS. The > event showed > >me that the source IP is from the whatsup server and the > destination IP > >addresses are those various servers at the remote site. The whatsup > >server is doing the ICMP sweep those servers and it is a valid event > > > >I would like to know why this happens only just recently whereas I > >should see this event on the first day I got the whatsup server in > >place. Is it possible that this is false positive reports? > How can you > >show that it is a false positive events? Hope to get some help here. > >Thanks > > > > > > > > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet > Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
