[Snort-sigs] New rule for detect "ICMP DoS HOD brute force"
rmkml at ...324...
Wed Oct 12 12:37:44 EDT 2005
> A rule that provides essentially identical detection to what you're proposing
> here (it does not look for the content, but as you note the content is not
> necessarily worth keeping) already exists as SID 404. While it's in
> icmp-info.rules, the tool referenced here generates 65536 packets in roughly
> 1-2 seconds; since Snort alerts on each of those packets, I'm pretty sure
> that anyone who saw that many alerts appearing that quickly would realize
> that some sort of attack was under way.
please drop my submit rule.
More information about the Snort-sigs