[Snort-devel] Re: [Snort-users] Little new feature

Thomas Walpuski thomas.walpuski at ...224...
Thu Feb 8 16:06:48 EST 2001


On Thu, Feb 08, 2001 at 11:04:34AM -0500, Martin Roesch wrote:
> options.  What this means is that you can specify a bang (!) before the
> quoted search string in a content option now and it will search for
> payloads that *do not* match the specified pattern.  This can be

That's just that what you need for icmp-tunneling-detection (as I mentioned on the users-list some weeks ago [http://h07.elxsi.de/projects.html]). If the following string is not the content of a icmp-datagram (type 0 or 8) it's probably icmp-tunneling: "\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F\x30\x31\x32\x33\x34\x35\x36\x37".

THX to Marty - that's the kind of snort development that makes sense




More information about the Snort-devel mailing list