Re: geting this rule to work

[JJC <cummingsj () gmail com>]

My best suggestion after all of this, capture the packets that you want to detect (using wireshark or tcpdump) and 
review them using wireshark so that you understand them, then begin to write your rule(s) for detection.

Sent from my iPad

On Nov 30, 2012, at 15:37, Akinwale Fasuru <fashman2k1 () yahoo com> wrote:

> Hello,
>
> Here is what i came up with:
> alert icmp any any -> any any (msg:"Traceroute command attempted"; itype:<30; icode:<30; ttl:<30; sid:1000007)
> it seem to work.
> But i need to write same rule for Windows OS, is it going to be the same thing or what needs to be changed?
>
> Wale
>
>
>
>
> --- On Thu, 11/29/12, Giles Coochey <giles () coochey net> wrote:
>
> > From: Giles Coochey <giles () coochey net>
> > Subject: Re: [Snort-users] geting this rule to work
> > To: snort-users () lists sourceforge net
> > Date: Thursday, November 29, 2012, 2:33 PM
> > On 29/11/2012 20:27, Jeremy Hoel
> > wrote:
> > > Your rule is for all IP traffic, not just ICMP
> > traffic..  then it
> > > looks for any packet with a ttl <3 and it triggers.
> > >
> > > Try changing the rule for just icmp, then you can tweak
> > it even more
> > > so with ICMP types and codes, not just ttl.
> > >
> > > There is (was? I use pp so i forget) a ICMP.rules files
> > that you can
> > > look at for examples.
> > Don't most Unices use UDP for traceroute?
> >
> > -- 
> > Regards,
> >
> > Giles Coochey, CCNA, CCNAS
> > NetSecSpec Ltd
> > +44 (0) 7983 877438
> > http://www.coochey.net
> > http://www.netsecspec.co.uk
> > giles () coochey net
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > ------------------------------------------------------------------------------
> > Keep yourself connected to Go Parallel: 
> > VERIFY Test and improve your parallel project with help from
> > experts 
> > and peers. http://goparallel.sourceforge.net
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel: 
> TUNE You got it built. Now make it sing. Tune shows you how.
> http://goparallel.sourceforge.net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!