[Snort-sigs] Get rid of AIX PMTU Size Discovery MISC large ICMP alerts

Lukas Matasovsky lukas_matasovsky at ...594...
Fri May 17 04:29:04 EDT 2002


Problem:

        MISC_RULES.rules
        alert icmp $EXTERNAL_NET any -> $HOME_NET any ( \
        msg:"MISC Large ICMP Packet"; \
        dsize: >800;  \
        reference:arachnids,246; classtype:bad-unknown; sid:499; rev:1;)

catches the AIX Path MTU Size Discovery Packets:

__________________________________________________________________
2002-XX-XX XX:XX:XX   SID:X CID:33484
MISC Large ICMP Packet
[ICMP] X.X.X.X ->  X.X.X.X 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
... removed 90 lines ...
__________________________________________________________________

I wanted to get rid of these alerts and tried:

Within a custom filterset file:

        pass icmp $EXTERNAL_NET any -> $HOME_NET any ( \
        msg:"AIX PMTU Size Discovery";  \
        dsize: 1500;)
or
        pass icmp $EXTERNAL_NET any -> $HOME_NET any ( \
        msg:"AIX PMTU Size Discovery";  \
        dsize: 1472;)
or
        pass icmp $EXTERNAL_NET any -> $HOME_NET any ( \
        msg:"AIX PMTU Size Discovery";  \
        dsize: 1492;)
or
        pass icmp any any -> any any ( \
        msg:"AIX PMTU Size Discovery"; \
        itype:8; icode:0; \
        content:"|0000000000000000000000000000000000000000|"; \
        icmp_id:39612;  tos:0; fragbits:D+;)

... did not work.

To alter the original filter:

        alert icmp $EXTERNAL_NET any -> $HOME_NET any ( \
        msg:"AIX PMTU Size Discovery"; \
        dsize: >800; \
        content: ! "|000000000000000000000000000000000000000|";)

... did not work.

To combine 2 filters in a custom filterset file:

        alert icmp any any -> any any ( \
        msg:"MISC Large ICMP Packet"; \
        dsize: >800;)

        pass icmp any any -> any any ( \
        msg:"AIX PMTU Size Discovery"; \
        itype:8; icode:0; \
        content:"|0000000000000000000000000000000000000000|";)

... did not work.

A filter represents logical AND statements, right?
A set of filters in a file represents logical OR statements, right?
I use the -o option to parse "pass" rules before "alert" rules.

In which order are filters of one rule action (e.g. "alert") applied?!?

How do I correctly quote bytecode?
This way: content:"|0000000000000000000000000000000000000000|";
or this way: content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 |";
?

lg,

Lukas




More information about the Snort-sigs mailing list