Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
3
Replies

Net Sweep Echo

managed.security
Level 1
Level 1

‎09-14-2004 05:13 PM - edited ‎03-09-2019 08:47 AM

We have IDS(version 4 S114)Its picking up a lot of this frominternal scr 1.0.0.239 scr port8 to dst 62.8.50.x

Anyone know what cuasing this traffic(9456) from this source. The dst address is from Netherlands. Does this mean the source is infected by Nachi

Labels:
0 Helpful
3 Replies 3

a.arndt
Level 3
Level 3

‎09-15-2004 07:58 AM

The answer lies in knowing exactly which SigID is firing.

If it is SigID 2100 (ICMP Network Sweep w/Echo), it doesn't necessarily mean that Nachi is your culprit. However, if it is SigID 2156 (Nachi Worm ICMP Echo Request), then it most likely is Nachi.

IIRC, Nachi isn't the only worm that starts sending out sequential ICMP echo requests to random networks. Furthermore, various *Bot (*=SD|Gao|Ago|etc.) infected systems may be seen performing ICMP network scanning as a result of a command from their controller.

Of course, this could also just be some user in your network running a tool too (say, nmap?). Network scanners that use ICMP for their reconnaissance efforts are a dime a dozen...

Perhaps you could provide the SigID noted with your alerts?

Alex Arndt

0 Helpful

managed.security
Level 1
Level 1
In response to a.arndt

‎09-15-2004 01:23 PM

The sigID is 2100

0 Helpful

a.arndt
Level 3
Level 3
In response to managed.security

‎09-20-2004 04:47 AM

Given the SigID (2100), I would suggest that you look at the traffic on your network using your favourite packet analyzer and see if anything jumps out at you for any of the packets that are flowing in relation to this activity.

I'd suggest you start by identifying a common element, like the source IP address, and work with that. Looking at all traffic from a host that is commonly showing up as the source of SigID 2100 may help you figure out what is really going on (worm vs. network management, for example).

Cisco IDS is alarming on traffic that matches a "signature"; it won't alarm on anything that appears to be legitimate (read: no signature) traffic that may still be on the wire illegitimately...

I hope this helps,

Alex Arndt

0 Helpful
Customers Also Viewed These Support Documents