Snort mailing list archives

Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems]

From: Fyodor <fygrave () tigerteam net>
Date: Mon, 7 May 2001 03:12:59 +0700

On Sun, May 06, 2001 at 03:14:51PM -0400, Edwin Chiu wrote:

Is there a snort signature for these packets? From what I remember, I don't
think snort 1.7 can do it... what about 1.8?

-------- Original Message --------
Subject: Several Misbehaviors with the ICMP implementation (and the
'ping'utility) with MS based operating systems
Date: Thu, 3 May 2001 06:51:26 -0700
From: Ofir Arkin <ofir () SYS-SECURITY COM>
Reply-To: Ofir Arkin <ofir () SYS-SECURITY COM>
To: BUGTRAQ () SECURITYFOCUS COM

RFC 792 (Internet Control Message Protocol) suggests how the ICMP Identifier
field and the ICMP Sequence Number field should be used:


We _CAN_ check ICMP ID ('icmp_id: ...') and ICMP SEQ
('icmp_seq') fields of an ICMP packet, if that was your
question :-> so up to you if you want to craft the rules ;-)



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

[Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems] Edwin Chiu (May 06)
- Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems] Fyodor (May 06)
  - Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems] Max Vision (May 06)
- Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the'ping'utility) with MS based operating systems] Martin Roesch (May 06)