Snort mailing list archives
Re: Rules that fire on bad checksums?
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 8 Sep 2004 10:30:57 -0400
You'd need to write a detection plugin that checks the status of the checksum flags in the packet struct. Something like:
alert ip any any -> any any (badcksum: any; msg: "Bad Checksum Detected";)
All you need to do is write the badcksum plugin and you'll be all set. :)
-Marty On Sep 7, 2004, at 10:51 AM, Glenn Forbes Fleming Larratt wrote:
tcpdump will make noise when an IP or embedded protocol checksum is bad.I cannot find anything in the Snort manual that would alert on thatcondition - is there any such thing, either in the rules or in a plugin?-g Glenn Forbes Fleming Larratt Rice University Networking glratt () rice edu ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules that fire on bad checksums? Glenn Forbes Fleming Larratt (Sep 07)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)
- Re: Rules that fire on bad checksums? Chris Green (Sep 08)
- Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- Re: Rules that fire on bad checksums? Chris Green (Sep 08)
- <Possible follow-ups>
- Re: Rules that fire on bad checksums? Richard Bejtlich (Sep 08)
- Re: Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)