Snort mailing list archives

Previous By Date Next
Previous By Thread Next

geting this rule to work

From: Akinwale Fasuru <fashman2k1 () yahoo com>
Date: Thu, 29 Nov 2012 12:18:32 -0800 (PST)
Hello,
Pls I need help in writing this rule correctly to detect an internal user executing traceroute command to external 
destination
I wrote this:
alert ip any any -> any any (msg:"Traceroute command attempted"; ttl:<3; sid:1000007)

When I run the traceroute command it generate this:
1/15-20:27:13.387207  [**] [1:1000007:0] Traceroute command attempted [**] [Priority: 0] {ICMP} 192.168.64.133 -> 
10.1.10.11

It also generates this alert even when I don’t issue the traceroute command, if I just live snort to run:
1/15-20:23:41.428077  [**] [1:1000007:0] Traceroute command attempted [**] [Priority: 0] {UDP} 
fe80::6164:3504:b284:123d:546 -> ff02::1:2:547 


------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: