[Snort-sigs] Fwd: Duplicate icmp SID 482?

xaz129 michaelm14 at ...2420...
Wed Feb 2 08:32:03 EST 2005


Ugh....nevermind..I finally found my typo in oinkmaster.  I had
changed sid 483 to 482...


---------- Forwarded message ----------
From: xaz129 <michaelm14 at ...2420...>
Date: Wed, 2 Feb 2005 09:32:41 -0500
Subject: Duplicate icmp SID 482?
To: snort-sigs at lists.sourceforge.net


I noticed an alert using Oinkmaster and I verified it in my rules
file.  I have two SIDs numbered 482 under icmp.rules.  They are shown
below:

/etc/snort/rules/icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET
any (msg:"ICMP PING WhatsupGold Windows";itype:8;content:"WhatsUp - A
Netw";depth:32;reference:arachnids,168;classtype:misc-activity;sid:482;rev:5;)

and

/etc/snort/rules/icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET
any (msg:"ICMP PING CyberKit 2.2 Windows";itype:8;content:"|AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA
AA|";depth:32;reference:arachnids,154;classtype:misc-attack;sid:482;priority:2;rev:5;)

I didn't see anything in the archived history regarding this.  Has
anyone else noticed it?




More information about the Snort-sigs mailing list