TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
475
source address will be the recipient of the ICMP message. A similar situation may occur when a large portscan is
occurring and an attempt is made to mask the true source of the scan by tossing in spoofed source addresses.
Signature ID: 12270
ICMP ping from host running ISS Pinger
Threat Level: Information
Signature Description: ISS Pinger is a networking monitoring tool. An echo request that originates from a host running
ISS Pinger software contains a unique payload in the message request. This rule will detect the ICMP pings from a host
running ISS Pinger software
Signature ID: 12271
ICMP Ping from host running Nemesis v1.1
Threat Level: Information
Signature Description: Nemesis is a packet injection tool for Windows/Linux. An echo request that originates from a
host running Nemesis software contains a unique payload in the message request. This rule will detect the ICMP pings
from a host running Nemesis software
Signature ID: 12272
ICMP PING from host running CyberKit 2.2
Threat Level: Information
Signature Description: CyberKit 2.2 is a networking monitoring tool for Windows. An echo request that originates
from a Windows host running CyberKit 2.2 software contains a unique payload in the message request. This rule will
detect the ICMP pings from CyberKit 2.2 software.
Signature ID: 12273
ICMP PING with Zero Data Length (NMAP port scanning)
Threat Level: Information
Signature Description: Normally, any ICMP request contains some data. ICMP with zero data length is not common.
Nmap is a security scanner available for Windows/Linux and sends these type of packets while scanning. This rule may
prone for False Positives as such packets are seen in some other cases also. For example when connecting to a network
where Active Directory is implemented or when Kontiki delivery manager used on windows platforms to download
multimedia files. Also avast! antivirus update feature is reported to produce ICMP pings with zero data when
connecting to the avast servers.
Signature ID: 12274
ICMP PING Sniffer Pro/NetXRay network scan
Threat Level: Information
Signature Description: Sniffer Pro/NetXRay is a networking monitoring tool for Windows. An echo request that
originates from a Windows host running Sniffer Pro/NetXRay software contains a unique payload in the message
request. This rule will detect the ICMP pings from a host running Sniffer Pro/NetXRay software.
Signature ID: 12275
ICMP PING from host running WhatsUpGold software
Threat Level: Information
Signature Description: WhatsUpGold is a networking monitoring tool for Windows. An echo request that originates
from a Windows host running Whatsup Gold software contains a unique payload in the message request. This rule will
detect the ICMP pings from a host running WhatsUpGold software.