Snort mailing list archives
Re: Rules that fire on bad checksums?
From: Chris Green <cmg () uab edu>
Date: Wed, 08 Sep 2004 13:47:32 -0400
Martin Roesch <roesch () sourcefire com> writes:
You'd need to write a detection plugin that checks the status of the checksum flags in the packet struct. Something like: All you need to do is write the badcksum plugin and you'll be all set. :)
It might be a bit more invasive than that b/c if it checks checksums at all, it skips the rule engine entirely. You'll have to add something that makes all the other rules validate the checksum by default and then have your badchecksum plugin. Dunno how much things have changed but I doubt anyone has tackled that stuff lately :) The quickest route for doing that would probably be a preprocessor that alerted on bad checksums. Cheers, Chris -- Chris Green <cmg () dok org> Warning: time of day goes back, taking countermeasures. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules that fire on bad checksums? Glenn Forbes Fleming Larratt (Sep 07)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)
- Re: Rules that fire on bad checksums? Chris Green (Sep 08)
- Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- Re: Rules that fire on bad checksums? Chris Green (Sep 08)
- <Possible follow-ups>
- Re: Rules that fire on bad checksums? Richard Bejtlich (Sep 08)
- Re: Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)