[Snort-sigs] crappy rule for icmp floods
jeff-kell at ...922...
Fri May 7 20:54:01 EDT 2004
James Riden wrote:
> Sasser.D may have an ICMP payload to check for, I haven't seen it here
> yet. There's a good Welchia sig which works as you suggest, but there
> was some payload to match as well.
I don't have a particular sig in mind, but we've had help from both
Sasser (which triggers the NMAP ping) and a Welchia/Nachi filter at our
border router with a policy to route them to Null0 (/dev/null).
Nachi is 92 bytes (64-byte payload), Sasser is 28 bytes (zero-byte
payload). The router filter only pays attention to packet length, as it
can do little else. Seems that tweaking a signature for content might
improve the Nachi catcher; but I don't see any significant difference
between the raw "real" NMAP pings versus the Sasser variant with pings.
More information about the Snort-sigs