RE: Rule content question.

["larosa, vjay" <larosa_vjay () emc com>]

I guess from the lack of replies there is no way for me to accomplish this.

vjl


>  -----Original Message-----
> From:         larosa, vjay  
> Sent: Friday, August 16, 2002 12:01 PM
> To:   'snort-users () lists sourceforge net'
> Subject:      Rule content question.
>
> Hello,
>
> I have a rule content question for the list,
>
> I seem to have a lot of happy packet generators on my network. No matter
> what I tell these people they always
> think they can some how get by me. I am finally giving up, I want to
> change the following rule,
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP
> Packet"; 
> dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
> rev:3;)
>
> to ignore any ICMP packet that has a payload of all 00's. I am trying to
> figure out how I can mangle
> this rule to not trigger on these packets. These packets are all varying
> in size as well. Does anybody have 
> any good idea? Thanks!
>
> vjl
>
>
>
> V.Jay LaRosa                           EMC Corporation
> Information Security                  171 South Street
> (508)249-3355 office                  Hopkinton, MA 01748
> (508)498-5575 cell                     www.emc.com
> (888-799-9750 pager                  larosa_vjay () emc com
> (508)497-8082 fax


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users