Let's not forget about worms. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold, Kevin Sent: Monday, October 24, 2005 8:56 AM To: Mundi, Michael Mr SOTEC; Soldatov, Sergey V.; Hee Kiong; Palmer, Paul (ISSAtlanta) Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] Ping Sweep
Or also indicative of spyware. Regards, Kevin 614-224-8204 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mundi, Michael Mr SOTEC Sent: Friday, October 21, 2005 11:20 AM To: 'Soldatov, Sergey V.'; Hee Kiong; Palmer, Paul (ISSAtlanta) Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] Ping Sweep I differ on this. The ping_sweep signature is very helpful for me and may be indicative of any of the following: 1. Virus infection/spyware 2. Mis-configured SNMP agent/server service 3. Network monitoring software (manager or agent) My 2 cents Michael Mundi (703) 607-8455 DSN 327-8455 Computer Network Defense (CND) Security Engineer, Contractor [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Soldatov, Sergey V. Sent: Tuesday, October 18, 2005 11:46 AM To: Hee Kiong; Palmer, Paul (ISSAtlanta) Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] Ping Sweep In Microsoft world every machine produce Ping_Sweep and I don't know why, I think it's false positives. In this case (most of my servers are Windows and almost all workstations a Windows too) I think Ping_sweep signature completely unhelpful. --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 tel +7 095 777 77 07 (1613) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Hee Kiong > Sent: Saturday, October 08, 2005 5:33 AM > To: Palmer, Paul (ISSAtlanta) > Cc: [EMAIL PROTECTED] > Subject: Re: [ISSForum] Ping Sweep > > Hi Paul, > > Is there any update on the algorithm that I am requesting from you? > Thanks > > > Hee Kiong Lau > Danawan Technologies Sdn Bhd > Tel: +673-2237777 > Fax: +673-2237778 > Mobile: +673-8712237 > > > > Palmer, Paul (ISSAtlanta) wrote: > > >The Ping_Sweep algorithm has not changed recently. So, the change in > >behavior would not be from a recently introduced false > positive in the > >algorithm. In addition, it sounds like the event is legitimate. I > >recommend using event filters to disable Ping_Sweep events from your > >Whats Up server. > > > >The Ping_Sweep algorithm recognizes ping sweeps using a two stage > >algorithm for efficiency. The first stage is an efficient > statistical > >algorithm that allows the IDS to use very few resources to monitor > >large numbers of network devices. This first stage is somewhat lossy > >(in much the same a JPEG image is lossy). Any potential intruders > >identified by the first stage are passed to the second stage > in which a > >more detailed and expensive deterministic analysis is performed. My > >guess is that prior to 2 months ago, the level of activity that your > >Whats Up server generated was just under the threshold for the first > >stage of the algorithm. About 2 months ago, either you added another > >remote server to monitor or some other seemingly minor > changed occurred > >(a change in the IP address of a remote server for instance) that > >change the results within the statistical first stage enough > to exceed its thresholds. > > > >Paul > > > >-----Original Message----- > >From: [EMAIL PROTECTED] On Behalf Of Hee Kiong > >Sent: Tuesday, October 04, 2005 4:10 AM > >To: [EMAIL PROTECTED] > >Subject: [ISSForum] Ping Sweep > > > > > >Hi, > > > >I have a server running whatsup application that monitors various > >servers at a remote site by using ICMP ping. The whatsup server will > >poll those servers every minute. I have an IDS installed at > the remote > >site to monitor the incoming and outgoing traffics. The > whatsup server > >has been running for about 1 1/2 years and only recently (2 > months ago) > >I saw the ping sweep events showed at the remote IDS. The > event showed > >me that the source IP is from the whatsup server and the > destination IP > >addresses are those various servers at the remote site. The whatsup > >server is doing the ICMP sweep those servers and it is a valid event > > > >I would like to know why this happens only just recently whereas I > >should see this event on the first day I got the whatsup server in > >place. Is it possible that this is false positive reports? > How can you > >show that it is a false positive events? Hope to get some help here. > >Thanks > > > > > > > > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. CONFIDENTIALITY NOTICE: The Ohio Public Employees Retirement System intends this e-mail message, and any attachments, to be used only by the person(s) or entity to which it is addressed. This message may contain confidential and/or legally privileged information. If the reader is not the intended recipient of this message or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are prohibited from printing, copying, storing, disseminating or distributing this communication. If you received this communication in error, please delete it from your computer and notify the sender by reply e-mail. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
