Re: RE: Rule content question.

[Phil Wood <cpw () lanl gov>]

Unless you make approx (1500-800) pass rules each with one more null byte in a
content string, I think you ought to be content with testing the content
for something like:

  (... dsize: >800; content: "|00 00 00 00|"; ...)

So, you have two rules:

pass icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IGNORE ICMP Large ICMP Packet"; dsize: >800;  content: "|00 00 00 
00|"; )

log icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP Packet"; dsize: >800; reference: arachnids,246; 
classtype: bad-unknown; sid:499; rev:3;)

And throw in the '-o' option on the snort command line".

On Tue, Aug 20, 2002 at 03:35:34PM -0400, larosa, vjay wrote:
> I guess from the lack of replies there is no way for me to accomplish this.
>
> vjl
>
>
> >  -----Original Message-----
> > From:       larosa, vjay  
> > Sent:       Friday, August 16, 2002 12:01 PM
> > To: 'snort-users () lists sourceforge net'
> > Subject:    Rule content question.
> >
> > Hello,
> >
> > I have a rule content question for the list,
> >
> > I seem to have a lot of happy packet generators on my network. No matter
> > what I tell these people they always
> > think they can some how get by me. I am finally giving up, I want to
> > change the following rule,
> >
> > alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP
> > Packet"; 
> > dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
> > rev:3;)
> >
> > to ignore any ICMP packet that has a payload of all 00's. I am trying to
> > figure out how I can mangle
> > this rule to not trigger on these packets. These packets are all varying
> > in size as well. Does anybody have 
> > any good idea? Thanks!
> >
> > vjl
> >
> >
> >
> > V.Jay LaRosa                           EMC Corporation
> > Information Security                  171 South Street
> > (508)249-3355 office                  Hopkinton, MA 01748
> > (508)498-5575 cell                     www.emc.com
> > (888-799-9750 pager                  larosa_vjay () emc com
> > (508)497-8082 fax
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users