Snort mailing list archives
Re: Re: Rules that fire on bad checksums?
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 8 Sep 2004 22:16:45 -0500
Ummmmm, you could replace your snort IDS which you know and love. Or you could apply the patch attached below. I was feeling nice and had an extra 5 minutes so I whipped this up for 2.2.0 users out there. Victor Julien and I are working on adding this into snort_inline anyhow. This should apply cleanly to snort-2.2.0 and give you the alerting you desire. Regards, Will On Wed, 8 Sep 2004 22:12:48 -0400, Richard Bejtlich <taosecurity () gmail com> wrote:
Glenn Forbes Fleming Larratt wrote: tcpdump will make noise when an IP or embedded protocol checksum is bad. I cannot find anything in the Snort manual that would alert on that condition - is there any such thing, either in the rules or in a plugin? -- You might consider looking at Vern Paxson's open source Bro IDS (http://bro-ids.org/). The Bro manual index shows several ways to catch bad checksums in various headers. [0] For example: # checksum error, ICMP: Events handled by conn_weird # checksum error, IP: Events handled by net_weird # checksum error, TCP: Events handled by conn_weird # checksum error, UDP: Events handled by conn_weird Bro excels at detecting these sort of odd packet features. I recently exchanged emails with a Bro developer who claims a lot of work is being done to make Bro easier to deploy and manage. I think the new Web site and Wiki are evidence this is happening. [1] My book describes how to set up Bro using Chris Manders' BRA scripts. [2] Sincerely, Richard http://www.taosecurity.com [0] http://bro-ids.org/Bro-reference-manual/Index.html [1] http://www.icir.org/twiki/bin/view/Bro/WebHome [2] http://www.baylinks.com/~cmanders/projects/bra.html and http://www.taosecurity.com/books.html ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
2.2.0-checksumalerts.diff
Description:
Current thread:
- Rules that fire on bad checksums? Glenn Forbes Fleming Larratt (Sep 07)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)
- Re: Rules that fire on bad checksums? Chris Green (Sep 08)
- Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- Re: Rules that fire on bad checksums? Chris Green (Sep 08)
- <Possible follow-ups>
- Re: Rules that fire on bad checksums? Richard Bejtlich (Sep 08)
- Re: Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)