[Snort-sigs] Duplicate icmp SID 482?

xaz129 michaelm14 at ...2420...
Wed Feb 2 08:31:57 EST 2005


I noticed an alert using Oinkmaster and I verified it in my rules
file.  I have two SIDs numbered 482 under icmp.rules.  They are shown
below:

/etc/snort/rules/icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET
any (msg:"ICMP PING WhatsupGold Windows";itype:8;content:"WhatsUp - A
Netw";depth:32;reference:arachnids,168;classtype:misc-activity;sid:482;rev:5;)

and

/etc/snort/rules/icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET
any (msg:"ICMP PING CyberKit 2.2 Windows";itype:8;content:"|AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA
AA|";depth:32;reference:arachnids,154;classtype:misc-attack;sid:482;priority:2;rev:5;)

I didn't see anything in the archived history regarding this.  Has
anyone else noticed it?




More information about the Snort-sigs mailing list