Snort mailing list archives
Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems]
From: Fyodor <fygrave () tigerteam net>
Date: Mon, 7 May 2001 03:12:59 +0700
On Sun, May 06, 2001 at 03:14:51PM -0400, Edwin Chiu wrote:
Is there a snort signature for these packets? From what I remember, I don't think snort 1.7 can do it... what about 1.8?
-------- Original Message -------- Subject: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems Date: Thu, 3 May 2001 06:51:26 -0700 From: Ofir Arkin <ofir () SYS-SECURITY COM> Reply-To: Ofir Arkin <ofir () SYS-SECURITY COM> To: BUGTRAQ () SECURITYFOCUS COM RFC 792 (Internet Control Message Protocol) suggests how the ICMP Identifier field and the ICMP Sequence Number field should be used:
We _CAN_ check ICMP ID ('icmp_id: ...') and ICMP SEQ ('icmp_seq') fields of an ICMP packet, if that was your question :-> so up to you if you want to craft the rules ;-) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems] Edwin Chiu (May 06)
- Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems] Fyodor (May 06)
- Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the'ping'utility) with MS based operating systems] Martin Roesch (May 06)