Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort IPS mode couldn't detect the fragmented icmp packet.

From: arulgobinath emmanuel <arulgobi () gmail com>
Date: Thu, 15 Jul 2010 13:09:04 +0530
Hi,
I'm testing Snort in IPS mode [ Version 2.8.6 (Build 38) inline ],
 i try to drop the icmp packets with following rule :

*drop icmp any any -> any any  (msg:"testing icmp found";sid:1000002;)*

but when i ping  with defaul packet size value snort is dropping properly
07/15-13:03:32.195730  [Drop] [**] [1:1000002:0] testing icmp found [**]
[Priority: 0] {ICMP} 203.xx.xx.xx -> 203.xx.xx.xx

But when i increase the packet side i can ping without any problem,


ping 203.xx.xx.xx -l 1500

Pinging 203.xx.xx.xx with 1500 bytes of data:
Reply from 203.xx.xx.xx: bytes=1500 time=3ms TTL=64

Is it a problem with fragmented packet handling ? any  configuration changes
I've to do / suggestion to overcome this issue.

Thanks in advance,
Ragu.

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: