[Snort-sigs] crappy rule for icmp floods

Jeff Kell jeff-kell at ...922...
Fri May 7 20:54:01 EDT 2004


James Riden wrote:

> Sasser.D may have an ICMP payload to check for, I haven't seen it here
> yet.  There's a good Welchia sig which works as you suggest, but there
> was some payload to match as well.

I don't have a particular sig in mind, but we've had help from both 
Sasser (which triggers the NMAP ping) and a Welchia/Nachi filter at our 
border router with a policy to route them to Null0 (/dev/null).

Nachi is 92 bytes (64-byte payload), Sasser is 28 bytes (zero-byte 
payload).  The router filter only pays attention to packet length, as it 
can do little else.  Seems that tweaking a signature for content might 
improve the Nachi catcher; but I don't see any significant difference 
between the raw "real" NMAP pings versus the Sasser variant with pings.

Jeff





More information about the Snort-sigs mailing list