07-19-2011 01:12 PM - edited 03-10-2019 05:25 AM
I'm getting a lot of these alarms on my IPS. I'm interested in finding a way to separate an actual "sweep" from what appears to be single pings from one host to another on my internal network.
The issue I see is that the alarm fires once every few minutes on completely different "attacker" and "victim" IP's. So I'm not quite sure what this 2100 alarm is responding to, it appears to be firing everytime it sees one host pinging another.
In an effort to tune this alarm to fire only on actual "sweep" activity I changed the Event Count from "1" (the default setting) to "2" - this would seem to permit the alarm to fire only when it sees greater than 1 of this activity originating from a single "attacker"
However, I'm still finding that the 2100 alarm is firing on many host "attackers" on my network.
It would appear this alarm is purposely defaulted to trigger much more often than is necessary. Would appreciate any suggestions to get this alarm to stop firing needlessly.
Or maybe I just don't understand what it's trying to do? To me, a single host pinging a single target does not constitute a "ping sweep".
Solved! Go to Solution.
08-02-2011 11:02 AM
Hi Mark. So, this is a Sweep Engine signature designed for detecting traffic from one source (1) host to multiple destination hosts. Its Unique parameter (literally, that's what it is called) is the threshold number of distinct hosts required to trigger the signature. Based on this signature's default settings:
unique: 5
storage-key: attacker-address
event-count: 1
alert-interval: 60 (seconds)
summary-mode: fire-all
It should fire (and generate an Alert) whenever ICMP echo requests are seen from any source ("Attacker") to more than five (5) destinations ("Victims") within a 60 second time period. It should not fire if the ICMP echo requests are from one source to one destination only (i.e. 1:1); multiple destinations must be involved. I tested this in my lab to confirm.
Now, alerting gets more complicated due to this signatures use of Summarization (and Global Summarization)... Based on this signature's default settings:
summary-threshold: 100
summary-interval: 30 (seconds)
summary-key: attacker-address
If it fires more than 100 times in 30 seconds, going forward, a Summary Alert is generated (instead of individual Alerts) once every Summary Interval (3o seconds) per Summary Key (attacker address).
Based on all the above and your initial description, I suspect your hosts are legitimately triggering the signature, eventually resulting in Summary Alerts. As far as why the hosts are triggering it, you will need to examine the hosts themselves (possibly take and review a packet capture(s) to identify what hosts are pinging what other hosts, if there is a common software package installed on the affected hosts, etc.). Network management software packages often (legitimately) make use of ICMP ping sweeps. Searching a bit online... it appears that even some popular antivirus software is known to trigger this (based on it attempting to ping multiple update servers to determine connectivity). Perhaps there is a software package(s) installed on these hosts generating the trigger traffic?
07-25-2011 09:45 AM
Sounds like perhaps you are seeing Summary Alerts. Can you paste a copy of one of these Alerts here, so the community can take a look? Feel free to redact any sensitive information (or change IP addresses) if you feel the need to do so, but, make sure that if you do, you do it consistently so we can still get a clear understanding of the Alert. I.e. do not change all the IP addresses to the same value, just redact the first three (3) octets or similar. Example: 192.168.0.10 -> x.x.x.10, 192.168.0.20 -> x.x.x.20, etc.
07-29-2011 06:15 PM
Event ID | 1310150219844783455 |
Severity | low |
Host ID | |
Application Name | sensorApp |
Event Time | 07/29/2011 15:06:43 |
Sensor Local Time | 07/29/2011 15:06:43 |
Signature ID | 2100 |
Signature Sub-ID | 0 |
Signature Name | ICMP Network Sweep w/Echo |
Signature Version | S2 |
Signature Details | |
Interface Group | vs0 |
VLAN ID | 0 |
Interface | ge0_0 |
Attacker IP | xxx.xxx.xxx.113 |
Protocol | icmp |
Attacker Port | |
Attacker Locality | OUT |
Target IP | xxx.xxx.xxx.142 |
Target Port | |
Target Locality | OUT |
Target OS | unknown unknown (relevant) |
Actions | |
Risk Rating | TVR=medium ARR=relevant |
Risk Rating Value | 60 |
Threat Rating | 60 |
Reputation | |
Context Data | |
Packet Data | |
Event Summary | 0 |
Initial Alert | |
Summary Type | |
Final Alert | |
Event Status | New |
Event Notes | |
08-02-2011 11:02 AM
Hi Mark. So, this is a Sweep Engine signature designed for detecting traffic from one source (1) host to multiple destination hosts. Its Unique parameter (literally, that's what it is called) is the threshold number of distinct hosts required to trigger the signature. Based on this signature's default settings:
unique: 5
storage-key: attacker-address
event-count: 1
alert-interval: 60 (seconds)
summary-mode: fire-all
It should fire (and generate an Alert) whenever ICMP echo requests are seen from any source ("Attacker") to more than five (5) destinations ("Victims") within a 60 second time period. It should not fire if the ICMP echo requests are from one source to one destination only (i.e. 1:1); multiple destinations must be involved. I tested this in my lab to confirm.
Now, alerting gets more complicated due to this signatures use of Summarization (and Global Summarization)... Based on this signature's default settings:
summary-threshold: 100
summary-interval: 30 (seconds)
summary-key: attacker-address
If it fires more than 100 times in 30 seconds, going forward, a Summary Alert is generated (instead of individual Alerts) once every Summary Interval (3o seconds) per Summary Key (attacker address).
Based on all the above and your initial description, I suspect your hosts are legitimately triggering the signature, eventually resulting in Summary Alerts. As far as why the hosts are triggering it, you will need to examine the hosts themselves (possibly take and review a packet capture(s) to identify what hosts are pinging what other hosts, if there is a common software package installed on the affected hosts, etc.). Network management software packages often (legitimately) make use of ICMP ping sweeps. Searching a bit online... it appears that even some popular antivirus software is known to trigger this (based on it attempting to ping multiple update servers to determine connectivity). Perhaps there is a software package(s) installed on these hosts generating the trigger traffic?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide