[Snort-sigs] Proposed change to icmp-info.rules

Brian bmc at ...95...
Sun Jun 1 17:54:04 EDT 2003


On Wed, May 28, 2003 at 06:01:39PM +0000, Jim Breton wrote:
> This change attempts to accomplish two things:
> 
> 1. Adds a rule to identify Windows's ICMP traceroute;
> 
> 2. Moves the ICMP Ping rule below the generic ICMP traceroute rule (which,
> AFAICT, would never be triggered with the original rule ordering).

A couple of issues.

1) you reuse sid:385, sids are supposed to be unique.
2) I've seen other applications use 0x00000000000000 for a payload in
   ICMP packets.  I'd rather not add that rule since traceroute rules
   will catch it, and multiple sources use that payload.

-brian




More information about the Snort-sigs mailing list