[Snort-sigs] New rule for detect "ICMP DoS HOD brute force"

rmkml rmkml at ...324...
Tue Oct 11 15:17:42 EDT 2005


Hi,

Please check and add this new rule :

icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP DoS 
HOD brute force exploit"; itype:3; icode:2; content:"|23 48 4F 44|"; )

ICMP attacks against TCP :
   MS05-019
   CISCO:20050412

On this rule, possible remove content arg because, it's not very good if 
you receive icmp proto unreach ! (good are host/net/port unreach)

More info on : http://www.securitylab.ru/poc/222163.php

Regards
Rmkml




More information about the Snort-sigs mailing list