[Snort-devel] new pb on snort v2 ? (icmp large packet)

rmkml rmkml at ...1042...
Sun Apr 20 14:41:06 EDT 2003


Hi,

I found new pb with snort v200b72 ?

Join tcpdump file with icmp large packet (>800),

but snort 191b234 correct event this :
04/20-21:21:41.955429  [**] [1:499:3] ICMP Large ICMP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
80.11.52.193 -> 217.128.40.152
04/20-21:21:41.955543  [**] [1:499:3] ICMP Large ICMP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
217.128.40.152 -> 80.11.52.193

and new snort 200b72 not event Large packet, just ping activity ... :
04/20-21:21:41.955429  [**] [1:384:4] ICMP PING [**] [Classification:
Misc activity] [Priority: 3] {ICMP} 80.11.52.193 -> 217.128.40.152
04/20-21:21:41.955543  [**] [1:408:4] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 217.128.40.152 ->
80.11.52.193

tcpdump confirm large icmp packet :
21:21:41.955429 80.11.52.193 > 217.128.40.152: icmp: echo request (DF)
(ttl 252, id 61682, len 1500)
21:21:41.955543 217.128.40.152 > 80.11.52.193: icmp: echo reply (ttl 64,
id 44962, len 1500)

In my two same conf (snort191 and snort200):
icmp.rules before (contain icmp large packet rules)
icmp-info.rules (contain icmp ping)

I have to forget something ?

Thanks for your help...

Regard.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: largeicmp.tcpdump.gz
Type: application/x-gzip
Size: 146 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030420/bb2e7e22/attachment.bin>


More information about the Snort-devel mailing list