Snort mailing list archives
Re: Rule content question.
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 16 Aug 2002 13:12:58 -0400
What about this? (sid changed to a local-rules sid range)alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP nonzero Large ICMP Packet"; dsize: >800;content:! "|00|00|00|00|00|00|00|00|"; classtype:bad-unknown; sid:1000008; rev:1;)
Admittedly it only detects 8 00 bytes before deciding to ignore the packet, but you can expand it to more to reduce the false-negative rate.
Given your request for this, I take it you're trying to ignore AIX MTU probes, which use large pings of 00's.
Your other option, a little better, is to have a pass rule which passes ICMP echo's with the don't fragment bit set and contents of a whole pile of zero's, then leave the original rule intact. This way you have a lesser chance of passing things other than the AIX probes.
At 12:01 PM 8/16/2002 -0400, larosa, vjay wrote:
Hello, I have a rule content question for the list, I seem to have a lot of happy packet generators on my network. No matter what I tell these people they always think they can some how get by me. I am finally giving up, I want to change the following rule, alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;) to ignore any ICMP packet that has a payload of all 00's. I am trying to figure out how I can mangle this rule to not trigger on these packets. These packets are all varying in size as well. Does anybody have any good idea? Thanks! vjl
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule content question. larosa, vjay (Aug 16)
- <Possible follow-ups>
- Re: Rule content question. Matt Kettler (Aug 16)
- RE: Rule content question. larosa, vjay (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Andreas Hasenack (Aug 20)
- Re: RE: Rule content question. Phil Wood (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Matt Kettler (Aug 21)