https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441541#M97943 <HTML><HEAD></HEAD><BODY><P>Yes in general this should work except - I don't think this is a "tcp rule" I think the same syntax but replace TCP with IP. IE -</P><P>access-list outside deny ip any host 172.16.44.12 eq icmp-echo </P><P>access-list outside deny ip any host 172.16.44.12 eq icmp-echo-reply </P><P></P><P></P><P></P></BODY></HTML> Thu, 09 Jun 2005 22:16:56 GMT gabelar 2005-06-09T22:16:56Z https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441538#M97940 <P>Dear all ,</P><P></P><P>we are getting lot of alerts on Nachi worm icmp echo request . source ip address es are outside valid ip address. and destination ip address is our proxy server. </P><P></P><P>is this means any threat.. r false positive . our proxy server running on win 2000.</P><P></P><P></P><P></P><P>Thanks in advance</P><P></P><P>Nataraj</P> Sun, 10 Mar 2019 09:29:20 GMT https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441538#M97940 nataraj_v 2019-03-10T09:29:20Z https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441539#M97941 <HTML><HEAD></HEAD><BODY><P>Nataraj - the Nachi sig is looking for a payload of 0xaa in an ICMP packet. PersonallI wouldn't treat it as a false positive. Most ICMP packets don't have that payload unless it's nachi. Also it's suspicous to me that it destined for your proxy which is the address that internet users will see as a source on outbound web traffic. I would simply block ICMP messages on your perimiter, you shouldn't need ICMP traffic sourced from the outside to get to your proxy server. I would also consider getting a IPS device that can drop this type of traffic such as a IPS 5.0 appliance or an ASA box with an SSM card. In addition CSA on your proxy server would be an excellent idea.</P></BODY></HTML> Wed, 08 Jun 2005 16:37:02 GMT https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441539#M97941 gabelar 2005-06-08T16:37:02Z https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441540#M97942 <HTML><HEAD></HEAD><BODY><P>Dear Gabelar,</P><P></P><P>Thanks for the information. Iam getting alert from NIDS. shall i block icmp it in Pix firewall ? can u pls guide me . </P><P></P><P>access-list outside deny tcp any host 172.16.44.12 eq icmp-echo</P><P>access-list outside deny tcp any host 172.16.44.12 eq icmp-echo-reply</P><P></P><P></P><P>will it do ?</P><P></P><P>Thanks </P><P>Nataraj</P></BODY></HTML> Thu, 09 Jun 2005 02:35:28 GMT https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441540#M97942 nataraj_v 2005-06-09T02:35:28Z https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441541#M97943 <HTML><HEAD></HEAD><BODY><P>Yes in general this should work except - I don't think this is a "tcp rule" I think the same syntax but replace TCP with IP. IE -</P><P>access-list outside deny ip any host 172.16.44.12 eq icmp-echo </P><P>access-list outside deny ip any host 172.16.44.12 eq icmp-echo-reply </P><P></P><P></P><P></P></BODY></HTML> Thu, 09 Jun 2005 22:16:56 GMT https://community.cisco.com/t5/network-security/nachi-worm-icmp-echo-request/m-p/441541#M97943 gabelar 2005-06-09T22:16:56Z