Rule: -- Sid: 478 -- Summary: This event is generated when Broadscan Smurf Scanner generates an ICMP echo request message. -- Impact: ICMP echo requests are used to determine if a host is running at a specific IP address. A remote attacker can scan a large range of hosts using ICMP echo requests to determine what hosts are operational on the network. -- Detailed Information: The Broadscan Smurf Scanner generates an ICMP echo packet with a specific datagram signature. -- Attack Scenarios: A remote attacker might scan a large range of hosts using ICMP echo requests to determine what hosts are operational on the network. -- Ease of Attack: Simple. Packet generation tools can generate this type of ICMP packet -- False Positives: None known -- False Negatives: Packet generation tools can generate ICMP echo requests with user-defined payloads. This could allow attackers to replace this signature with binary values and conceal their operating system. -- Corrective Action: To prevent information gathering, use a firewall to block incoming ICMP Type 8 Code 0 traffic. -- Contributors: Original Rule writer unknown Sourcefire Research Team Matthew Watchinski (matt.watchinski@sourcefire.com) -- Additional References: --
