Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules that fire on bad checksums?

From: Chris Green <cmg () uab edu>
Date: Wed, 08 Sep 2004 13:47:32 -0400
Martin Roesch <roesch () sourcefire com> writes:


You'd need to write a detection plugin that checks the status of the
checksum flags in the packet struct.   Something like:


All you need to do is write the badcksum plugin and you'll be all
set. :)


It might be a bit more invasive than that b/c if it checks checksums
at all, it skips the rule engine entirely.

You'll have to add something that makes all the other rules validate
the checksum by default and then have your badchecksum plugin.  Dunno
how much things have changed but I doubt anyone has tackled that stuff
lately :)

The quickest route for doing that would probably be a preprocessor
that alerted on bad checksums.  

Cheers,
Chris
-- 
Chris Green <cmg () dok org>
Warning: time of day goes back, taking countermeasures.



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: