Rule: -- Sid: 465 -- Summary: This event is generated when an ICMP echo request is made from a host running the Internet Security Scanner tool. -- Impact: Information gathering. An ICMP echo request can determine if a host is active. -- Detailed Information: An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running Internet Security Scanner "pinger" software contains a unique payload in the message request. -- Affected Systems: All -- Attack Scenarios: An attacker may attempt to determine live hosts in a network prior to launching an attack. -- Ease of Attack: Simple -- False Positives: An ICMP echo request may be used to legimately troubleshoot networking problems. -- False Negatives: None known. -- Corrective Action: Block inbound ICMP echo requests. -- Contributors: Original rule written by Max Vision Documented by Steven Alexander Sourcefire Research Team Judy Novak -- Additional References: http://www.whitehats.com/info/IDS158 --
