Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rule regarding L3Retriever Ping

From: Brian <bmc () snort org>
Date: Wed, 20 Mar 2002 10:50:47 -0500
According to Ashley Thomas:

There was a question regarding the below rule: (but didnt find any
replies)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; 
 content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
 reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)

Is there any particular reason for this alert ??


Yeap, someone was using this tool to scan your network.  

To ME, this isn't that important, but others may find it important to
look at.

-brian

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: