[Snort-sigs] Traceroute test
Esler, Joel Contractor
EslerJ at ...785...
Tue Jun 17 10:36:13 EDT 2003
See we've figured out that ISS's Trace_Route signature on the RealSecure IDS
triggers on a TTL Expire. Well, when we look in other logs besides the
RealSecure apparently the connection never existed... So I want to develop
a signature that detects traceroutes...
From: Brian [mailto:bmc at ...95...]
Sent: Tuesday, June 17, 2003 1:26 PM
To: Esler, Joel Contractor
Cc: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] Traceroute test
On Tue, Jun 17, 2003 at 12:28:40PM -0400, Esler, Joel Contractor wrote:
> I Think there is a way, however, refresh my memory...
> Since traceroute starts on port 33435 udp... We can write a rule to
> detect traceroutes...
Or you could use ttl:1;
More information about the Snort-sigs