Ethereal-users: Re: [Ethereal-users] Newbie in a jam

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Andreas Fink <afink@xxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Feb 2006 21:42:45 +0100
Why would filtering  ICMP stop anything??
It wouldn't help finding him anything. The "bad" guy inside his network will still be there. Instead use of ethereal should make him spot the right machine and be able to take corresponding action. ICMP is a important service and I don't see why users should not be able to use it. There are far more dangerouse services like Windows Messaging (see http://www.itc.virginia.edu/desktop/docs/ messagepopup/) or simpyl use of Windows file service from remote (most users dont need that so its usually not a bad idea to close those ports). There was only one reason to filter ICMP and that was during the known bug of WindowsNT and Windows95 called "ping-of-death" where a well crafted overlength ICMP packet was able to crash any windows machine within seconds.

So it would take a brainwashed system administrator to put a totally outdated 10 year old machine with Windows95 or WindowsNT without any security patches on to the internet. If you have that on your network, then you might want to block ICMP.

On 28.02.2006, at 21:22, FRANCIS PROVENCHER wrote:

Hi
To stop the problem, you can deny the icmp echo request on your firewall. Its not a good thing to lets user make icmp echo reply (ping) outdoor of your network. Creat a rule on your firewall to deny it, you can add some exception on this rule to lets administrator to ping outdoor.

Sorry i can give you some advise with ethereal.
You can also check for a Snort (Intrusion Detection System)



Francis Provencher
Ministère de la Sécurité publique
Réalisations et Systèmes réseaux
Tél: (418) 646-3258
Courriel:   Francis.provencher@xxxxxxxxxxxxxx

CEH - Certified Ethical Hackers
SSCP - System Security Certified Practionner
Sec+ - Security +
jason.hernandez@xxxxxxxxxxxxx 02/28/06 2:36 PM >>>
Hello all,



I am very new to protocol analyzing and packet sniffing. I usually just
support pc, but an now supporting our network. I've been contacted my
company's ISP and they say some machine behind my router is scanning their network. I have made sure all my PC's are patched, and have up to day anti
virus software ( McAfee) as well as anti spyware software (Windows
Defender), but I am still having this issue.



How can I use this software to find the culprit? What am I suppose to look
for? Sorry for being such a newbie...



Thanks in advance!





Jason




_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users



Andreas Fink
Fink Consulting GmbH

---------------------------------------------------------------
Tel: +41-61-6666332 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail:  afink@xxxxxxxxxxxxxxxxxx
Homepage: http://www.finkconsulting.com
---------------------------------------------------------------

ICQ: 101946485 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333
PGP9: 0714 DF2B A189 A760 6201  5CBD D040 3E71 4DAF 68BB