Solved: Sig 2100 - ICMP Network Sweep w/Echo

mark.barrett · ‎07-19-2011

I'm getting a lot of these alarms on my IPS. I'm interested in finding a way to separate an actual "sweep" from what appears to be single pings from one host to another on my internal network.

The issue I see is that the alarm fires once every few minutes on completely different "attacker" and "victim" IP's. So I'm not quite sure what this 2100 alarm is responding to, it appears to be firing everytime it sees one host pinging another.

In an effort to tune this alarm to fire only on actual "sweep" activity I changed the Event Count from "1" (the default setting) to "2" - this would seem to permit the alarm to fire only when it sees greater than 1 of this activity originating from a single "attacker"

However, I'm still finding that the 2100 alarm is firing on many host "attackers" on my network.

It would appear this alarm is purposely defaulted to trigger much more often than is necessary. Would appreciate any suggestions to get this alarm to stop firing needlessly.

Or maybe I just don't understand what it's trying to do? To me, a single host pinging a single target does not constitute a "ping sweep".

Dustin Ralich · ‎08-02-2011

Hi Mark. So, this is a Sweep Engine signature designed for detecting traffic from one source (1) host to multiple destination hosts. Its Unique parameter (literally, that's what it is called) is the threshold number of distinct hosts required to trigger the signature. Based on this signature's default settings:

unique: 5

storage-key: attacker-address

event-count: 1

alert-interval: 60 (seconds)

summary-mode: fire-all

It should fire (and generate an Alert) whenever ICMP echo requests are seen from any source ("Attacker") to more than five (5) destinations ("Victims") within a 60 second time period. It should not fire if the ICMP echo requests are from one source to one destination only (i.e. 1:1); multiple destinations must be involved. I tested this in my lab to confirm.

Now, alerting gets more complicated due to this signatures use of Summarization (and Global Summarization)... Based on this signature's default settings:

summary-threshold: 100

summary-interval: 30 (seconds)

summary-key: attacker-address

If it fires more than 100 times in 30 seconds, going forward, a Summary Alert is generated (instead of individual Alerts) once every Summary Interval (3o seconds) per Summary Key (attacker address).

Based on all the above and your initial description, I suspect your hosts are legitimately triggering the signature, eventually resulting in Summary Alerts. As far as why the hosts are triggering it, you will need to examine the hosts themselves (possibly take and review a packet capture(s) to identify what hosts are pinging what other hosts, if there is a common software package installed on the affected hosts, etc.). Network management software packages often (legitimately) make use of ICMP ping sweeps. Searching a bit online... it appears that even some popular antivirus software is known to trigger this (based on it attempting to ping multiple update servers to determine connectivity). Perhaps there is a software package(s) installed on these hosts generating the trigger traffic?

View solution in original post

Dustin Ralich · ‎07-25-2011

Sounds like perhaps you are seeing Summary Alerts. Can you paste a copy of one of these Alerts here, so the community can take a look? Feel free to redact any sensitive information (or change IP addresses) if you feel the need to do so, but, make sure that if you do, you do it consistently so we can still get a clear understanding of the Alert. I.e. do not change all the IP addresses to the same value, just redact the first three (3) octets or similar. Example: 192.168.0.10 -> x.x.x.10, 192.168.0.20 -> x.x.x.20, etc.

mark.barrett · ‎07-29-2011

Event ID	1310150219844783455
Severity	low
Host ID
Application Name	sensorApp
Event Time	07/29/2011 15:06:43
Sensor Local Time	07/29/2011 15:06:43
Signature ID	2100
Signature Sub-ID	0
Signature Name	ICMP Network Sweep w/Echo
Signature Version	S2
Signature Details
Interface Group	vs0
VLAN ID	0
Interface	ge0_0
Attacker IP	xxx.xxx.xxx.113
Protocol	icmp
Attacker Port
Attacker Locality	OUT
Target IP	xxx.xxx.xxx.142
Target Port
Target Locality	OUT
Target OS	unknown unknown (relevant)
Actions
Risk Rating	TVR=medium ARR=relevant
Risk Rating Value	60
Threat Rating	60
Reputation
Context Data
Packet Data
Event Summary	0
Initial Alert
Summary Type
Final Alert
Event Status	New
Event Notes

Dustin Ralich · ‎08-02-2011

Hi Mark. So, this is a Sweep Engine signature designed for detecting traffic from one source (1) host to multiple destination hosts. Its Unique parameter (literally, that's what it is called) is the threshold number of distinct hosts required to trigger the signature. Based on this signature's default settings:

unique: 5

storage-key: attacker-address

event-count: 1

alert-interval: 60 (seconds)

summary-mode: fire-all

It should fire (and generate an Alert) whenever ICMP echo requests are seen from any source ("Attacker") to more than five (5) destinations ("Victims") within a 60 second time period. It should not fire if the ICMP echo requests are from one source to one destination only (i.e. 1:1); multiple destinations must be involved. I tested this in my lab to confirm.

Now, alerting gets more complicated due to this signatures use of Summarization (and Global Summarization)... Based on this signature's default settings:

summary-threshold: 100

summary-interval: 30 (seconds)

summary-key: attacker-address

If it fires more than 100 times in 30 seconds, going forward, a Summary Alert is generated (instead of individual Alerts) once every Summary Interval (3o seconds) per Summary Key (attacker address).

Based on all the above and your initial description, I suspect your hosts are legitimately triggering the signature, eventually resulting in Summary Alerts. As far as why the hosts are triggering it, you will need to examine the hosts themselves (possibly take and review a packet capture(s) to identify what hosts are pinging what other hosts, if there is a common software package installed on the affected hosts, etc.). Network management software packages often (legitimately) make use of ICMP ping sweeps. Searching a bit online... it appears that even some popular antivirus software is known to trigger this (based on it attempting to ping multiple update servers to determine connectivity). Perhaps there is a software package(s) installed on these hosts generating the trigger traffic?