CSMARS reporting ICMP traffic between hosts and Exchange Server

Unanswered Question

We recently added a CSMARS box to our infrastructure so it could correlate and report on our 4260's alerts. I've noticed that CSMARS is reporting on ICMP's from multiple hosts within our network sending ICMP packets to our Exchange server. The total amounts of packets are between 15 and 30 and then the ICMP's from the specific clients stop.

I know that Windows XP clients will send ICMP traffic to domain controllers in order to test connectivity and I'm wondering if we're seeing the same occurrence with our Exchange clients.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
mhellman Wed, 02/13/2008 - 07:43
User Badges:
  • Blue, 1500 points or more

It's probably normal, but it would help if you could get a trace and actually identify the ICMP type and code.

mhellman Wed, 02/13/2008 - 09:31
User Badges:
  • Blue, 1500 points or more

yes, a network trace. I assume the events in MARS are firewall events and not IDS alarms?

mhellman Wed, 02/13/2008 - 10:13
User Badges:
  • Blue, 1500 points or more

okay, that's good. It means you can get a trace on the sensor if you need to. so what signature is firing exactly? certain ICMP messages are quite normal on the network.

Hi, the signature that is firing is ICMP Flood

Signature ID: 2152/0. According to Cisco's site this signature should not fire under normal circumstances. However, when we first setup the IPS sensor it would deny all vpn users' access to our exchange server as the Win Nuke signature kept firing. Of course this was a false positive.

However, once I tweaked the CSMARS rule a bit the noise calmed down and it reported on two hosts that were trying to send ICMP floods to Google.

mhellman Thu, 02/14/2008 - 07:19
User Badges:
  • Blue, 1500 points or more

The flood signatures need to be tuned for your network. That specific signature fires when it detects more than 25 ICMP echo request (ping) packets per second being sent to a single host. In a larger network, this could fire on all sorts of apps.


This Discussion