[Snort-sigs] Pure Not Rule not Supported?

Amanda Meyer mandy at ...2298...
Mon Mar 8 08:13:11 EST 2004


Hello all,

 

I am currently running Snort 2.1.1 on a Win2K box, and trying to tune my
rules for my Windows network.  As you may already be aware, when you run
Snort on a Windows network, you tend to get false positives on the following
rule:

 

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet";
dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
rev:3;)

 

This is usually caused by the fact that Windows networks like to send out
Slow Link Detection packets to help determine the speed of the link for
applying Group Policy security.  (See
http://www.wfu.edu/~steinsj5/work/icmp.html
<http://www.wfu.edu/~steinsj5/work/icmp.html>  for more info).  This process
actually causes two false positives, since two packets are sent: the first
triggers the ICMP Ping NMAP rule, as it sends a 0 byte ping packet.  The
second triggers the rule above; the ICMP payload actually contains a .gif
image that has a distinct content of "WANG2.....JFIF".  I would like to
tweak the ICMP Large ICMP Packet rule to ignore any packets that have this
in the payload, but I'm running into a problem.  I am using the following
rule:

 

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP, NOT M$
Slow Link Det"; content: ! "WANG2"; dsize: >800; reference:arachnids,246;
classtype:bad-unknown; sid:499; rev:3;)

 

What I hope to accomplish is to have the rule only alert if the large ICMP
packet does NOT contain "WANG2,"  however, when I run snort (snort -A fast
-bpc e:\snort\etc\snort.conf -l e:\snort\log) with this rule enabled I get
the following error:

 

SNORT DETECTION ENGINE: Pure Not Rule 'ICMP Large ICMP, NOT M$ Slow Link
Det' not added to detection engine.  These rules are not supported at this
time.

 

However, when I look in the User Manual, I see the following for the syntax
of content:

 

If the rule is preceded by a !, the alert will be triggered on packets that
do not contain this content. This is useful when

writing rules that want to alert on packets that do not match a certain
pattern

 

Format

content: [!] "<content string>";

 

I've tried every variation I can think of, with no success.  I'm relatively
new to Snort, so any insight and/or resources you can point me to would be
greatly appreciated!

 

Thank you,

am

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040308/4376fbd1/attachment.html>


More information about the Snort-sigs mailing list