Rule:

--
Sid:
476

--
Summary:
This event is generated when Webtrends Security Scanner generates an ICMP echo request message.

--
Impact:
ICMP echo requests are used to determine if a host is running at a specific IP address.  A remote attacker can scan a large range of hosts using ICMP echo requests to determine what hosts are operational on the network.

--
Detailed Information:
Webtrends Ecurity Scanner generates a ICMP Echo Request message containing the following hex signature:

 |00000000454545454545454545454545|

By searching for this string in a packet, it is possible to determine the type of host that generated the request.

--
Attack Scenarios:
A remote attacker might scan a large range of hosts using ICMP echo requests to determine what hosts are operational on the network.

--
Ease of Attack:
Simple.  The "ping" utility found on most operating systems can generate these types of ICMP messages.

--
False Positives:
None known

--
False Negatives:
Packet generation tools can generate ICMP Echo requests with user-defined payloads.  This could allow attackers to replace this signature with binary values and conceal their operating system.

--
Corrective Action:

--
Contributors:
Original Rule writer unknown
Sourcefire Vulnerability Research Team
Matthew Watchinski (matt.watchinski@sourcefire.com)

--
Additional References:

--
