[Snort-devel] Re: new pb on snort v2 ? (icmp large packet)

rmkml rmkml at ...1042...
Tue Apr 22 13:13:26 EDT 2003


could you help me please ?



rmkml wrote:

> Hi,
>
> I found new pb with snort v200b72 ?
>
> Join tcpdump file with icmp large packet (>800),
>
> but snort 191b234 correct event this :
> 04/20-21:21:41.955429  [**] [1:499:3] ICMP Large ICMP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
> 80.11.52.193 -> 217.128.40.152
> 04/20-21:21:41.955543  [**] [1:499:3] ICMP Large ICMP Packet [**]
> [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
> 217.128.40.152 -> 80.11.52.193
>
> and new snort 200b72 not event Large packet, just ping activity ... :
> 04/20-21:21:41.955429  [**] [1:384:4] ICMP PING [**] [Classification:
> Misc activity] [Priority: 3] {ICMP} 80.11.52.193 -> 217.128.40.152
> 04/20-21:21:41.955543  [**] [1:408:4] ICMP Echo Reply [**]
> [Classification: Misc activity] [Priority: 3] {ICMP} 217.128.40.152 ->
> 80.11.52.193
>
> tcpdump confirm large icmp packet :
> 21:21:41.955429 80.11.52.193 > 217.128.40.152: icmp: echo request (DF)
> (ttl 252, id 61682, len 1500)
> 21:21:41.955543 217.128.40.152 > 80.11.52.193: icmp: echo reply (ttl 64,
> id 44962, len 1500)
>
> In my two same conf (snort191 and snort200):
> icmp.rules before (contain icmp large packet rules)
> icmp-info.rules (contain icmp ping)
>
> I have to forget something ?
>
> Thanks for your help...
>
> Regard.
>
>   ------------------------------------------------------------------------
>                            Name: largeicmp.tcpdump.gz
>    largeicmp.tcpdump.gz    Type: application/x-gzip
>                        Encoding: base64





More information about the Snort-devel mailing list