[Snort-sigs] New rule for detect "ICMP DoS HOD brute force"
rmkml at ...324...
Tue Oct 11 15:17:42 EDT 2005
Please check and add this new rule :
icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP DoS
HOD brute force exploit"; itype:3; icode:2; content:"|23 48 4F 44|"; )
ICMP attacks against TCP :
On this rule, possible remove content arg because, it's not very good if
you receive icmp proto unreach ! (good are host/net/port unreach)
More info on : http://www.securitylab.ru/poc/222163.php
More information about the Snort-sigs