[Snort-sigs] Traceroute test

Esler, Joel Contractor EslerJ at ...785...
Tue Jun 17 10:36:13 EDT 2003


See we've figured out that ISS's Trace_Route signature on the RealSecure IDS
triggers on a TTL Expire.  Well, when we look in other logs besides the
RealSecure apparently the connection never existed...  So I want to develop
a signature that detects traceroutes...

J

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Tuesday, June 17, 2003 1:26 PM
To: Esler, Joel Contractor
Cc: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] Traceroute test


On Tue, Jun 17, 2003 at 12:28:40PM -0400, Esler, Joel  Contractor wrote:
> I Think there is a way, however, refresh my memory...
> 
> Since traceroute starts on port 33435 udp...  We can write a rule to 
> detect traceroutes...

Uh...

Or you could use ttl:1;

-brian




More information about the Snort-sigs mailing list