Snort mailing list archives
Re: geting this rule to work
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 29 Nov 2012 20:27:46 +0000
Your rule is for all IP traffic, not just ICMP traffic.. then it looks for any packet with a ttl <3 and it triggers. Try changing the rule for just icmp, then you can tweak it even more so with ICMP types and codes, not just ttl. There is (was? I use pp so i forget) a ICMP.rules files that you can look at for examples. On Thu, Nov 29, 2012 at 8:18 PM, Akinwale Fasuru <fashman2k1 () yahoo com> wrote:
Hello,
Pls I need help in writing this rule correctly to detect an internal user executing traceroute command to external
destination
I wrote this:
alert ip any any -> any any (msg:"Traceroute command attempted"; ttl:<3; sid:1000007)
When I run the traceroute command it generate this:
1/15-20:27:13.387207 [**] [1:1000007:0] Traceroute command attempted [**] [Priority: 0] {ICMP} 192.168.64.133 ->
10.1.10.11
It also generates this alert even when I don’t issue the traceroute command, if I just live snort to run:
1/15-20:23:41.428077 [**] [1:1000007:0] Traceroute command attempted [**] [Priority: 0] {UDP}
fe80::6164:3504:b284:123d:546 -> ff02::1:2:547
------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
VERIFY Test and improve your parallel project with help from experts
and peers. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- geting this rule to work Akinwale Fasuru (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Giles Coochey (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Marcos Rodriguez (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Giles Coochey (Nov 29)
- Re: geting this rule to work Marcos Rodriguez (Nov 29)
- Re: geting this rule to work waldo kitty (Nov 29)
- Re: geting this rule to work Akinwale Fasuru (Nov 30)
- Re: geting this rule to work JJC (Dec 01)
- Re: geting this rule to work waldo kitty (Dec 01)
- Re: geting this rule to work Jeremy Hoel (Dec 02)
- Re: geting this rule to work Jeremy Hoel (Nov 29)