[Snort-sigs] Proposed change to icmp-info.rules

Jim Breton vader at ...1549...
Thu May 29 05:32:20 EDT 2003


This change attempts to accomplish two things:

1. Adds a rule to identify Windows's ICMP traceroute;

2. Moves the ICMP Ping rule below the generic ICMP traceroute rule (which,
AFAICT, would never be triggered with the original rule ordering).


--- rules.orig/icmp-info.rules       Wed May 21 04:15:32 2003
+++ rules/icmp-info.rules   Wed May 21 05:33:16 2003
@@ -30,8 +30,9 @@
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; content:"|88042020202020202020202020202020|"; itype:8; depth:32; reference:arachnids,166; sid:380;  classtype:misc-activity; rev:4;)
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; sid:381;  classtype:misc-activity; rev:4;)
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: 16; reference:arachnids,169; sid:382;  classtype:misc-activity; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384;  classtype:misc-activity; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute Windows"; ttl:1; itype: 8; content: "|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth: 32; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:1;)
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ";ttl:1;itype:8; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:2;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384;  classtype:misc-activity; rev:4;)
 alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; itype: 18; icode: 0; sid:386;  classtype:misc-activity; rev:4;)
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply (Undefined Code!)"; itype: 18; sid:387;  classtype:misc-activity; rev:4;)
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0; sid:388;  classtype:misc-activity; rev:4;)

-- 

Jim B.
vader at ...1549...




More information about the Snort-sigs mailing list