[Snort-sigs] New rule for detect "ICMP DoS HOD brute force"

Alex Kirk alex.kirk at ...435...
Wed Oct 12 08:26:50 EDT 2005


A rule that provides essentially identical detection to what you're 
proposing here (it does not look for the content, but as you note the 
content is not necessarily worth keeping) already exists as SID 404. 
While it's in icmp-info.rules, the tool referenced here generates 65536 
packets in roughly 1-2 seconds; since Snort alerts on each of those 
packets, I'm pretty sure that anyone who saw that many alerts appearing 
that quickly would realize that some sort of attack was under way.

Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.

> Hi,
>
> Please check and add this new rule :
>
> icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP 
> DoS HOD brute force exploit"; itype:3; icode:2; content:"|23 48 4F 
> 44|"; )
>
> ICMP attacks against TCP :
>   MS05-019
>   CISCO:20050412
>
> On this rule, possible remove content arg because, it's not very good 
> if you receive icmp proto unreach ! (good are host/net/port unreach)
>
> More info on : http://www.securitylab.ru/poc/222163.php
>
> Regards
> Rmkml
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list