Snort mailing list archives

Re: Problem with icmp_seq

From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 25 Nov 2009 11:22:15 +0000

icmp_seq refers to the ICMP sequence number, part of the ICMP header,
not the data portion of the packet. Can you send a packet dump so we
can check whether the itype, content and icmp_seq matches actually do
match?

cheers,
 Jamie

2009/11/25 sofia insat <sofia.insat () yahoo fr>


Hi,

I have to verify with an hexadecimal icmp sequence that have this value "beef"
so I have written this rule :
alert icmp any any -> any any (msg:"----------- ICMPv6 : echo request -----------"; itype:128; content: "AAA"; 
icmp_seq: beef; sid:1000001;)
but It does not detect a packet that have this icmp sequence

How can I resolve this problem

Thanks




--
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
http://www.ukhoneynet.org/members/jamie/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Problem with icmp_seq sofia insat (Nov 25)
- Re: Problem with icmp_seq Jamie Riden (Nov 25)