Re: geting this rule to work

[Y M <snort () outlook com>]

The protocol-icmp.rules file has a rule ready for detecting traceroutes. If you will be using PulledPork, look for that 
rule's sid, included it in your enablesid.conf file and test. Just make sure the flow of the rule matches your 
$HOME_NET and $EXTERNAL_NET configs. If not, add the modifications required in your modifysid.conf file (if you are 
using PulledPork), or simply make the changes inline.

YM
________________________________
From: Jeremy Hoel
Sent: 11/29/2012 11:28 PM
To: Akinwale Fasuru
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] geting this rule to work

Your rule is for all IP traffic, not just ICMP traffic..  then it
looks for any packet with a ttl <3 and it triggers.

Try changing the rule for just icmp, then you can tweak it even more
so with ICMP types and codes, not just ttl.

There is (was? I use pp so i forget) a ICMP.rules files that you can
look at for examples.



On Thu, Nov 29, 2012 at 8:18 PM, Akinwale Fasuru <fashman2k1 () yahoo com> wrote:
> Hello,
> Pls I need help in writing this rule correctly to detect an internal user executing traceroute command to external 
> destination
> I wrote this:
> alert ip any any -> any any (msg:"Traceroute command attempted"; ttl:<3; sid:1000007)
>
> When I run the traceroute command it generate this:
> 1/15-20:27:13.387207  [**] [1:1000007:0] Traceroute command attempted [**] [Priority: 0] {ICMP} 192.168.64.133 -> 
> 10.1.10.11
>
> It also generates this alert even when I don’t issue the traceroute command, if I just live snort to run:
> 1/15-20:23:41.428077  [**] [1:1000007:0] Traceroute command attempted [**] [Priority: 0] {UDP} 
> fe80::6164:3504:b284:123d:546 -> ff02::1:2:547
>
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel:
> VERIFY Test and improve your parallel project with help from experts
> and peers. http://goparallel.sourceforge.net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
VERIFY Test and improve your parallel project with help from experts
and peers. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!