Re: normal vs. malicious icmp echo

[Erik Fichtner <emf () servervault com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, May 05, 2004 at 10:25:42PM -0500, Mario Guerendo wrote:
> I just wanted to know if anybody had a snort rule available that would
> differentiate a normal ICMP echo ping from a malicious one?
> If so, would you be willing to share it?

per RFC3514 [1], the following should work:

alert icmp any any -> any any (msg: "Evil ICMP Ping"; itype:8; fragbits: -M; fragoffset: >4095;)


Though, to be fully RFC3514 compliant, you might want to start your
snort instance with a pcap filter specified on the command line like:
        snort $ARGS 'ip[6] & 32 != 0'


[1] ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt

PLEASE read the RFC before you use this. 

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAmbeUQ7EzrewLMS0RApdCAKC1J4o6pft8c8//UmYd3ryPRUuifwCgszyv
/7g9j4eYgYEeEdubMGNdKvQ=
=qXLq
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users