[Snort-sigs] RE: Snort-sigs digest, Vol 1 #64 - 2 msgs

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Tue Sep 11 08:29:01 EDT 2001


Today's Topics:

   1. ICMP Echo Request (Jeffrey C. Ollie)
   2. Request - Signaturefor CodeRed Green & Blue (RobertJ.Gates)

Jeffrey C. Ollie wrote: 
 ....... rules for ICMP echo requests in snort's default rulesets.  Anyway,
here are the rules that
I came up with:

alert icmp any any -> any any (msg:"ICMP Echo Request"; itype: 8; icode: 0;
rev:1;)
alert icmp any any -> any any (msg:"ICMP Echo Request (Undefined Code!)";
itype: 8; rev:1;)   

Correct me if I am wrong, but I believe there needs to be a SID in the
rules.

For example:

alert icmp any any -> any any (msg:"ICMP Echo Request"; itype: 8; icode: 0;
sid: 9265; rev:1;)
alert icmp any any -> any any (msg:"ICMP Echo Request (Undefined Code!)";
sid: 9266; itype: 8; rev:1;)   


James 

P.S.  What is the official way to obtain SID numbers for rules and to submit
rules for integration into the www.snort.org rule snapshots?  I noticed that
some of the rules I have composed (such as the code red activity detection
rule) have not made it into the downloadable rule files.





More information about the Snort-sigs mailing list