[Snort-sigs] New rule for detect "ICMP DoS HOD brute force"

rmkml rmkml at ...324...
Wed Oct 12 12:37:44 EDT 2005


Hi Alex,

> A rule that provides essentially identical detection to what you're proposing 
> here (it does not look for the content, but as you note the content is not 
> necessarily worth keeping) already exists as SID 404. While it's in 
> icmp-info.rules, the tool referenced here generates 65536 packets in roughly 
> 1-2 seconds; since Snort alerts on each of those packets, I'm pretty sure 
> that anyone who saw that many alerts appearing that quickly would realize 
> that some sort of attack was under way.

please drop my submit rule.
Thx
Rmkml




More information about the Snort-sigs mailing list