[Snort-sigs] Re: Snort-sigs digest, Vol 1 #238 - 1 msg

Lukas Matasovsky lukas_matasovsky at ...594...
Fri May 24 00:30:02 EDT 2002


I'm still stuck with the Rule for AIX PMTU Size Discovery.

Can anyone tell me why:

alert icmp $EXTERNAL_NET any -> $HOME_NET any ( \
msg:"AIX PMTU SIZE DISCOVERY eq 1470"; \
itype:8; icode:0; 
content:"|00000000000000000000000000000000000000000000000000000000000000000000000000000000|"; 
\
dsize: 1470;)

catches packets with 1500 len ?!?

and:

alert icmp $EXTERNAL_NET any -> $HOME_NET any ( \
msg:"AIX PMTU SIZE DISCOVERY lt 1470"; \
itype:8; icode:0; 
content:"|00000000000000000000000000000000000000000000000000000000000000000000000000000000|"; 
\
dsize: <1470;)

catches 1500-len-packets too ?!?

What does exactly "dsize" for Snort mean? (Datagram-Size?)

BTW:

alert icmp $EXTERNAL_NET any -> $HOME_NET any ( \
msg:"AIX PMTU SIZE DISCOVERY eq 1472"; \
itype:8; icode:0; 
content:"|00000000000000000000000000000000000000000000000000000000000000000000000000000000|"; 
\
dsize: 1472;)

or

alert icmp $EXTERNAL_NET any -> $HOME_NET any ( \
msg:"AIX PMTU SIZE DISCOVERY eq 1471"; \
itype:8; icode:0; 
content:"|00000000000000000000000000000000000000000000000000000000000000000000000000000000|"; 
\
dsize: 1471;)

or

alert icmp $EXTERNAL_NET any -> $HOME_NET any ( \
msg:"AIX PMTU SIZE DISCOVERY gt 1472"; \
itype:8; icode:0; 
content:"|00000000000000000000000000000000000000000000000000000000000000000000000000000000|"; 
\
dsize: >1472;)

do not catch any packets.




More information about the Snort-sigs mailing list