Snort mailing list archives
Re: RE: Rule content question.
From: Clint Byrum <cbyrum () spamaps org>
Date: Tue, 20 Aug 2002 13:47:58 -0700
On Tue, Aug 20, 2002 at 03:35:34PM -0400, larosa, vjay wrote: <snip>
I seem to have a lot of happy packet generators on my network. No matter what I tell these people they always think they can some how get by me. I am finally giving up, I want to change the following rule, alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;) to ignore any ICMP packet that has a payload of all 00's. I am trying to figure out how I can mangle
You *could* use a pass rule before this one to allow specific harmless all-zero pings through. I'd say though, that this can probably be tuned out. Is this type of traffic really so telling of an "intrusion" ? ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule content question. larosa, vjay (Aug 16)
- <Possible follow-ups>
- Re: Rule content question. Matt Kettler (Aug 16)
- RE: Rule content question. larosa, vjay (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Andreas Hasenack (Aug 20)
- Re: RE: Rule content question. Phil Wood (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Matt Kettler (Aug 21)