[Snort-sigs] Proposed change to icmp-info.rules
bmc at ...95...
Sun Jun 1 17:54:04 EDT 2003
On Wed, May 28, 2003 at 06:01:39PM +0000, Jim Breton wrote:
> This change attempts to accomplish two things:
> 1. Adds a rule to identify Windows's ICMP traceroute;
> 2. Moves the ICMP Ping rule below the generic ICMP traceroute rule (which,
> AFAICT, would never be triggered with the original rule ordering).
A couple of issues.
1) you reuse sid:385, sids are supposed to be unique.
2) I've seen other applications use 0x00000000000000 for a payload in
ICMP packets. I'd rather not add that rule since traceroute rules
will catch it, and multiple sources use that payload.
More information about the Snort-sigs