Snort mailing list archives
Re: RE: Rule content question.
From: Phil Wood <cpw () lanl gov>
Date: Tue, 20 Aug 2002 15:28:13 -0600
Unless you make approx (1500-800) pass rules each with one more null byte in a content string, I think you ought to be content with testing the content for something like: (... dsize: >800; content: "|00 00 00 00|"; ...) So, you have two rules: pass icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IGNORE ICMP Large ICMP Packet"; dsize: >800; content: "|00 00 00 00|"; ) log icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP Packet"; dsize: >800; reference: arachnids,246; classtype: bad-unknown; sid:499; rev:3;) And throw in the '-o' option on the snort command line". On Tue, Aug 20, 2002 at 03:35:34PM -0400, larosa, vjay wrote:
I guess from the lack of replies there is no way for me to accomplish this. vjl-----Original Message----- From: larosa, vjay Sent: Friday, August 16, 2002 12:01 PM To: 'snort-users () lists sourceforge net' Subject: Rule content question. Hello, I have a rule content question for the list, I seem to have a lot of happy packet generators on my network. No matter what I tell these people they always think they can some how get by me. I am finally giving up, I want to change the following rule, alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;) to ignore any ICMP packet that has a payload of all 00's. I am trying to figure out how I can mangle this rule to not trigger on these packets. These packets are all varying in size as well. Does anybody have any good idea? Thanks! vjl V.Jay LaRosa EMC Corporation Information Security 171 South Street (508)249-3355 office Hopkinton, MA 01748 (508)498-5575 cell www.emc.com (888-799-9750 pager larosa_vjay () emc com (508)497-8082 fax------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule content question. larosa, vjay (Aug 16)
- <Possible follow-ups>
- Re: Rule content question. Matt Kettler (Aug 16)
- RE: Rule content question. larosa, vjay (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Andreas Hasenack (Aug 20)
- Re: RE: Rule content question. Phil Wood (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Matt Kettler (Aug 21)