Snort mailing list archives
Re: A question on ethernet padding
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 23 Jan 2014 20:25:42 +0000
BTW - I think snort might count the icmp code/type/protocol bits as part of data, so making it dsize:>31; fixed it. Thanks! On Thu, Jan 23, 2014 at 8:20 PM, Jeremy Hoel <jthoel () gmail com> wrote:
So there you go.. I was trying various offsets and depths and didn't seem to get it. But I'll try that. Thanks! BTW - Should that be part of the rule? Since you wouldn't want those to fire if they had 0 data? On Thu, Jan 23, 2014 at 8:17 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-01-23 12:54, Jeremy Hoel wrote:I was wondering kind of the same question.. in regards to those new ICMP rules. NetApps doing have any ICMP data, just the main requests, but there seems to always be 10 bytes |00| in what wireshark calls padding, and I'm curious if I can write the rule around that. On Thu, Jan 23, 2014 at 4:07 PM, James Lay <jlay () slave-tothe-box net> wrote:Does snort treat ethernet padding as data? Wireshark shows that I have 1 byte of data in a packet after my ethernet and ip headers. My ethernet header, normally 14 bytes, includes 17 bytes of Padding. Does snort consider the padding as data? Trying to figure out what offset and depth to use on this rule. Hope I'm explaining this well..thanks all. JamesAn end around around to NOT see these can be to add dsize:>1; to your rule...should nuke out these zero data pings. James
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- A question on ethernet padding James Lay (Jan 23)
- Re: A question on ethernet padding Jeremy Hoel (Jan 23)
- Re: A question on ethernet padding James Lay (Jan 23)
- Re: A question on ethernet padding Jeremy Hoel (Jan 23)
- Re: A question on ethernet padding Jeremy Hoel (Jan 23)
- Re: A question on ethernet padding James Lay (Jan 23)
- Re: A question on ethernet padding James Lay (Jan 23)
- Re: A question on ethernet padding Jeremy Hoel (Jan 23)