[Snort-sigs] crappy rule for icmp floods

Lazar, Sean Sean_Lazar at ...2413...
Fri May 7 19:14:09 EDT 2004

This rule is somewhat crappy but it does detect some of the network
scanning viruses like sasser. Is there a way to use thresholding in a
rule and also have it try to match other rules as well? Or does that go
against snort philosophy...

alert icmp any any -> any any (msg:"20 ICMP in 1 second!!!";threshold:
type both , track by_src, count 20 , seconds 1;)

I am sure there is a better way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040507/254e7724/attachment.html>

More information about the Snort-sigs mailing list