Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: Rule content question.

From: Clint Byrum <cbyrum () spamaps org>
Date: Tue, 20 Aug 2002 13:47:58 -0700
On Tue, Aug 20, 2002 at 03:35:34PM -0400, larosa, vjay wrote:
<snip>

I seem to have a lot of happy packet generators on my network. No matter
what I tell these people they always
think they can some how get by me. I am finally giving up, I want to
change the following rule,

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP
Packet"; 
dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
rev:3;)

to ignore any ICMP packet that has a payload of all 00's. I am trying to
figure out how I can mangle


You *could* use a pass rule before this one to allow specific harmless 
all-zero pings through.

I'd say though, that this can probably be tuned out. Is this type of
traffic really so telling of an "intrusion" ?



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: