Snort mailing list archives
Re: ICMP Large PAcket
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 20 Mar 2003 13:28:36 -0500
Personally, I use this variant of the rule, which has the drawback of ignoring any large ICMPs that contain long strings of 0's but at least it doesn't false every time my server gets pinged by one of these probes..
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize: >800; content:!"|000000000000000000000000|"; reference:arachnids,246; classtype:bad-unknown; sid:1000499; rev:3;)
these packets seem to be some sort of path MTU discovery, or a spedera type "fastest link" estimator.
At 11:11 AM 3/20/2003 -0600, Jose Ramon Hernandez Macias wrote:
Hi dudes, I´m actually receiving a lot of ICMP Large Packet alerts, after I analyzed most of the packets I´ve seen all of them are echo request packets with a size of 1472 bytes of NULL, so the alarm is triggered with >800 . My question is do you recommend me to increase the size to >1472 or >1500 ? Thanks Jose "Rapidity is the essence of war: take advantage of the enemy´s unreadiness, make your way by unexpected routes, and attack unguarded spots." -- Sun Tzu ------------------------------------------------------- This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------- This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Large PAcket Jose Ramon Hernandez Macias (Mar 20)
- Re: ICMP Large PAcket Matt Kettler (Mar 20)
- Re: ICMP Large PAcket Jeff Nathan (Mar 20)
- <Possible follow-ups>
- Re: ICMP Large PAcket Jose Ramon Hernandez Macias (Mar 20)